Verification of quantum computation: An overview of existing approaches

Quantum computers promise to efficiently solve not only problems believed to be intractable for classical computers, but also problems for which verifying the solution is also considered intractable. This raises the question of how one can check whether quantum computers are indeed producing correct results. This task, known as quantum verification, has been highlighted as a significant challenge on the road to scalable quantum computing technology. We review the most significant approaches to quantum verification and compare them in terms of structure, complexity and required resources. We also comment on the use of cryptographic techniques which, for many of the presented protocols, has proven extremely useful in performing verification. Finally, we discuss issues related to fault tolerance, experimental implementations and the outlook for future protocols.


Introduction
Quantum computation is the subject of intense research due to the potential of quantum computers to efficiently solve problems which are believed to be intractable for classical computers. The current focus of experiments, aiming to realize scalable quantum computation, is to demonstrate a quantum computational advantage. In other words, this means performing a quantum computation in order to solve a problem which is proven to be classically intractable, based on plausible complexity-theoretic assumptions. Examples of such problems, suitable for near-term experiments, include boson sampling [1], instantaneous quantum polynomial time (IQP) computations [2] and others [3][4][5]. The prospect of achieving these tasks has ignited a flurry of experimental efforts [6][7][8][9]. However, while demonstrating a quantum computational advantage is an important milestone towards scalable quantum computing, it also raises a significant challenge: If a quantum experiment solves a problem which is proven to be intractable for classical computers, how can one verify the outcome of the experiment?
The first researcher who formalised the above "paradox" as a complexity theoretic question was Gottesman, in a 2004 conference [10]. It was then promoted, in 2007, as a complexity challenge by Aaronson who asked: "If a quantum computer can efficiently solve a problem, can it also efficiently convince an observer that the solution is correct? More formally, does every language in the class of quantumly tractable problems (BQP) admit an interactive proof where the prover is in BQP and the verifier is in the class of classically tractable problems (BPP)? " [10]. Vazirani, then emphasized the importance of this question, not only from the perspective of complexity theory, but from a philosophical point of view [11]. In 2007, he raised the question of whether quantum mechanics is a falsifiable theory, and suggested that a computational approach could answer this question. This perspective was explored in depth by Aharonov and Vazirani in [12]. They argued that although many of the predictions of quantum mechanics have been experimentally verified to a remarkable precision, all of them involved systems of low complexity. In other words, they involved few particles or few degrees of freedom for the quantum mechanical system. But the same technique of "predict and verify" would quickly become infeasible for systems of even a few hundred interacting particles due to the exponential overhead in classically simulating quantum systems. And so what if, they ask, the predictions of quantum mechanics start to differ significantly from the real world in the high complexity regime? How would we be able to check this? Thus, the fundamental question is whether there exists a verification procedure for quantum mechanical predictions which is efficient for arbitrarily large systems.
In trying to answer this question we return to complexity theory. The primary complexity class that we are interested in is BQP, which, as mentioned above, is the class of problems that can be solved efficiently by a quantum computer. The analogous class for classical computers, with randomness, is denoted BPP. Finally, concerning verification, we have the class MA, which stands for Merlin-Arthur. This consists of problems whose solutions can be verified by a BPP machine when given a proof string, called a witness 4 . BPP is contained in BQP, since any problem which can be solved efficiently on a classical computer can also be solved efficiently on a quantum computer. Additionally BPP is contained in MA since any BPP problem admits a trivial empty witness. Both of these containments are believed to be strict, though this is still unproven.
What about the relationship between BQP and MA? Problems are known that are contained in both classes and are believed to be outside of BPP. One such example is factoring. Shor's polynomial-time quantum algorithm for factoring demonstrates that the problem is in BQP [14]. Additionally, for any number to be factored, the witness simply consists of a list of its prime factors, thus showing that the problem is also in MA. In general, however, it is believed that BQP is not contained in MA. An example of a BQP problem not believed to be in MA is approximating a knot invariant called the Jones polynomial which has applications ranging from protein folding to Topological Quantum Field Theory (TQFT) [15][16][17]. The conjectured relationship between these complexity classes is illustrated in Figure 1. What this tells us is that, very likely, there do not exist witnesses certifying the outcomes of general quantum experiments 5 . We therefore turn to a generalization of MA known as an interactive-proof system. This consists of two entities: a verifier and a prover. The verifier is a BPP machine, whereas the prover has unbounded computational power. Given a problem for which the verifier wants to check a reported solution, the verifier and the prover interact for a number of rounds which is polynomial in the size of the input to the problem. At the end of this interaction, the verifier should accept a valid solution with high probability and reject, with high probability, otherwise. The class of problems which admit such a protocol is denoted IP 6 . In contrast to MA, instead of having a single proof string for each problem, one has a transcript of back-and-forth communication between the verifier and the prover.
If we are willing to allow our notion of verification to include such interactive protocols, then one would like to know whether BQP is contained in IP. Unlike the relation between BQP and MA, it is, in fact, the case that BQP ⊆ IP, which means that every problem which can be efficiently solved by a quantum computer admits an interactive-proof system. One would be tempted to think that this solves the question of verification, however, the situation is more subtle. Recall that in IP, the prover is computationally unbounded, whereas for our purposes we would require the prover to be restricted to BQP computations. Hence, the question that we would like answered and, arguably, the main open problem concerning quantum verification is the following: Problem 1 (Verifiability of BQP computations). Does every problem in BQP admit an interactive-proof system in which the prover is restricted to BQP computations?
As mentioned, this complexity theoretic formulation of the problem was considered by Gottesman, Aaronson and Vazirani [10,11] and, in fact, Scott Aaronson has offered a 25$ prize for its resolution [10]. While, as of yet, the question remains open, one does arrive at a positive answer through slight alterations of the interactive-proof system. Specifically, if the verifier interacts with two or more BQP-restricted provers, instead of one, and the provers are not allowed to communicate with each other during the protocol, then it is possible to efficiently verify arbitrary BQP computations [19][20][21][22][23][24][25]. Alternatively, in the single-prover setting, if we allow the verifier to have a constant-size quantum computer and the ability to send/receive quantum states to/from the prover then it is again possible to verify all polynomial-time quantum computations [26][27][28][29][30][31][32][33][34]. Note that in this case, while the verifier is no longer fully "classical", its computational capability is still restricted to BPP since simulating a constant-size quantum computer can be done in constant time. These scenarios are depicted in Figure 2.
(a) Classical verifier interacting with two entangled but non-communicating quantum provers (b) Verifier with the ability to prepare or measure constant-size quantum states interacting with a single quantum prover The primary technique that has been employed in most, thought not all, of these settings, to achieve verification, is known as blindness. This entails delegating a computation to the provers in such a way that they cannot distinguish this computation from any other of the same size, unconditionally 7 . Intuitively, verification then follows by having most of these computations be tests or traps which the verifier can check. If the provers attempt to deviate they will have a high chance of triggering these traps and prompt the verifier to reject.
In this paper, we review all of these approaches to verification. We broadly classify the protocols as follows: 1. Single-prover prepare-and-send. These are protocols in which the verifier has the ability to prepare quantum states and send them to the prover. They are covered in Section 2. 2. Single-prover receive-and-measure. In this case, the verifier receives quantum states from the prover and has the ability to measure them. These protocols are presented in Section 3. 3. Multi-prover entanglement-based. In this case, the verifier is fully classical, however it interacts with more than one prover. The provers are not allowed to communicate during the protocol. Section 4 is devoted to these protocols.
From the complexity-theoretic perspective, the protocols from the first two sections are classified as QPIP protocols, or protocols in which the verifier has a minimal quantum device and can send or receive quantum states. Conversely, the entanglement-based protocols are classified as MIP * protocols, in which the verifier is classical and interacting with provers that share entanglement 8 .
After reviewing the major approaches to verification, in Section 5, we address a number of related topics. In particular, while all of the protocols from Sections 2-4 are concerned with the verification of general BQP computations, in Subsection 5.1 we mention sub-universal protocols, designed to verify only a particular subclass of quantum computations. Next, in Subsection 5.2 we discuss an important practical aspect concerning verification, which is fault tolerance. We comment on the possibility of making protocols resistant to noise which could affect any of the involved quantum devices. This is an important consideration for any realistic implementation of a verification protocol. Finally, in Subsection 5.3 we outline some of the existing experimental implementations of these protocols.
Throughout the review, we are assuming familiarity with the basics of quantum information theory and some elements of complexity theory. However, we provide a brief overview of these topics as well as other notions that are used in this review (such as measurement-based quantum computing) in the appendix, Section 7. Note also, that we will be referencing complexity classes such as BQP, QMA, QPIP and MIP * . Definitions for all of these are provided in Subsection 7.3 of the appendix. We begin with a short overview of blind quantum computing.

Blind quantum computing
The concept of blind computing is highly relevant to quantum verification. Here, we simply give a succinct outline of the subject. For more details, see this review of blind quantum computing protocols by Fitzsimons [35] as well as [36][37][38][39][40]. Note that, while the review of Fitzsimons covers all of the material presented in this section (and more), we restate the main ideas, so that our review is self-consistent and also in order to establish some of the notation that is used throughout the rest of the paper.
Blindness is related to the idea of computing on encrypted data [41]. Suppose a client has some input x and would like to compute a function f of that input, however, evaluating the function directly is computationally infeasible for the client. Luckily, the client has access to a server with the ability to evaluate f (x). The problem is that the client does not trust the server with the input x, since it might involve private or secret information (e.g. medical records, military secrets, proprietary information etc). The client does, however, have the ability to encrypt x, using some encryption procedure E, to a ciphertext y ← E(x). As long as this encryption procedure hides x sufficiently well, the client can send y to the server and receive in return (potentially after some interaction with the server) a string z which decrypts to f (x). In other words, f (x) ← D(z), where D is a decryption procedure that can be performed efficiently by the client 9 . The encryption procedure can, roughly, provide two types of security: computational or information-theoretic. Computational security means that the protocol is secure as long as certain computational assumptions are true (for instance that the server is unable to invert one-way functions). Information-theoretic security (sometimes referred to as unconditional security), on the other hand, guarantees that the protocol is secure even against a server of unbounded computational power. See [46] for more details on these topics.
In the quantum setting, the situation is similar to that of QPIP protocols: the client is restricted to BPP computations, but has some limited quantum capabilities, whereas the server is a BQP machine. Thus, the client would like to delegate BQP functions to the server, while keeping the input and the output hidden. The first solution to this problem was provided by Childs [36]. His protocol achieves information-theoretic security but also requires the client and the server to exchange quantum messages for a number of rounds that is proportional to the size of the computation. This was later improved in a protocol by Broadbent, Fitzsimons and Kashefi [37], known as universal blind quantum computing (UBQC), which maintained information-theoretic security but reduced the quantum communication to a single message from the client to the server. UBQC still requires the client and the server to have a total communication which is proportional to the size of the computation, however, apart from the first quantum message, the interaction is purely classical. Let us now state the definition of perfect, or information-theoretic, blindness from [37]: Definition 1 (Blindness). Let P be a delegated quantum computation protocol involving a client and a server. The client draws the input from the random variable X. Let L(X) be any function of this random and multiple entangled provers) as it follows from the definitions of these classes. The definitions can be found in Subsection 7.3. 9 In the classical setting, computing on encrypted data culminated with the development of fully homomorphic encryption (FHE), which is considered the "holly grail " of the field [42][43][44][45]. Using FHE, a client can delegate the evaluation of any polynomial-size classical circuit to a server, such that the input and output of the circuit are kept hidden from the server, based on reasonable computational assumptions. Moreover, the protocol involves only one round of back-and-forth interaction between client and server.
variable. We say that the protocol is blind while leaking at most L(X) if, on the client's input X, for any l ∈ Range(L), the following two hold when given l ← L(X): 1. The distribution of the classical information obtained by the server in P is independent of X. 2. Given the distribution of classical information described in 1, the state of the quantum system obtained by the server in P is fixed and independent of X.
The definition is essentially saying that the server's "view" of the protocol should be independent of the input, when given the length of the input. This view consists, on the one hand, of the classical information he receives, which is independent of X, given L(X). On the other hand, for any fixed choice of this classical information, his quantum state should also be independent of X, given L(X). Note that the definition can be extended to the case of multiple servers as well. To provide intuition for how a protocol can achieve blindness, we will briefly recap the main ideas from [36,37]. We start by considering the quantum one-time pad.
Quantum one-time pad. Suppose we have two parties, Alice and Bob, and Alice wishes to send one qubit, ρ, to Bob such that all information about ρ is kept hidden from a potential eavesdropper, Eve. For this to work, we will assume that Alice and Bob share two classical random bits, denoted b 1 and b 2 , that are known only to them. Alice will then apply the operation X b1 Z b2 (the quantum one-time pad) to ρ, resulting in the state X b1 Z b2 ρZ b2 X b1 , and send this state to Bob. If Bob then also applies X b1 Z b2 to the state he received, he will recover ρ. What happens if Eve intercepts the state that Alice sends to Bob? Because Eve does not know the random bits b 1 and b 2 , the state that she will intercept will be: However, it can be shown that for any single-qubit state ρ: In other words, the state that Eve intercepts is the totally mixed state, irrespective of the original state ρ. But the totally mixed state is, by definition, the state of maximal uncertainty. Hence, Eve cannot recover any information about ρ, regardless of her computational power. Note, that for this argument to work, and in particular for Equation 2 to be true, Alice and Bob's shared bits must be uniformly random.
If Alice wishes to send n qubits to Bob, then as long as Alice and Bob share 2n random bits, they can simply perform the same procedure for each of the n qubits. Equation 2 generalizes for the multi-qubit case so that for an n-qubit state ρ we have: Here, b 1 and b 2 are n-bit vectors, Z b(i) and I is the 2 n -dimensional identity matrix.
Childs' protocol for blind computation. Now suppose Alice has some n-qubit state ρ and wants a quantum circuit C to be applied to this state and the output to be measured in the computational basis. However, she only has the ability to store n qubits, prepare qubits in the |0 state, swap any two qubits, or apply a Pauli X or Z to any of the n qubits. So in general, she will not be able to apply a general quantum circuit C, or perform measurements. Bob, on the other hand, does not have these limitations as he is a BQP machine and thus able to perform universal quantum computations. How can Alice delegate the application of C to her state without revealing any information about it, apart from its size, to Bob? The answer is provided by Childs' protocol [36]. Before presenting the protocol, recall that any quantum circuit, C, can be expressed as a combination of Clifford operations and T gates. Additionally, Clifford operations commute with Pauli gates. All of these notions are defined in the appendix, Subsection 7.1.
First, Alice will one-time pad her state and send the padded state to Bob. As mentioned, this will reveal no information to Bob about ρ. Next, Alice instructs Bob to start applying the gates in C to the padded state. Apart from the T gates, all other operations in C will be Clifford operations, which commute with Pauli gates. Thus, if Alice's padded state is X(b 1 )Z(b 2 )ρZ(b 2 )X(b 1 ) and Bob applies the Clifford unitary U C , the resulting state will be: Here, b 1 and b 2 are linearly related to b 1 and b 2 , meaning that Alice can compute them using only xor operations. This gives her an updated pad for her state. If C consisted exclusively of Clifford operations then Alice would only need to keep track of the updated pad (also referred to as the Pauli frame) after each gate. Once Bob returns the state, she simply undoes the one-time pad using the updated key, that she computed, and recovers CρC † . Of course, this will not work if C contains T gates, since: where S = T 2 . In other words, if we try to commute the T operation with the one-time pad we will get an unwanted S gate applied to the state. Worse, the S will have a dependency on one of the secret pad bits for that particular qubit. This means that if Alice asks Bob to apply an S a operation she will reveal one of her pad bits. Fortunately, as explained in [36], there is a simple way to remedy this problem. After each T gate, Alice asks Bob to return the quantum state to her. Suppose that Bob had to apply a T on qubit j. Alice then applies a new one-time pad on that qubit. If the previous pad had no X gate applied to j, she will swap this qubit with a dummy state that does not take part in the computation 10 , otherwise she leaves the state unchanged. She then returns the state to Bob and asks him to apply an S gate to qubit j. Since this operation will always be applied, after a T gate, it does not reveal any information about Alice's pad. Bob's operation will therefore cancel the unwanted S gate when this appears and otherwise it will act on a qubit which does not take part in the computation. The state should then be sent back to Alice so that she can undo the swap operation if it was performed. Once all the gates in C have been applied, Bob is instructed to measure the resulting state in the computational basis and return the classical outcomes to Alice. Since the quantum output was one-time padded, the classical outcomes will also be one-time padded. Alice will then undo the pad an recover her desired output. While Childs' protocol provides an elegant solution to the problem of quantum computing on encrypted data, it has significant requirements in terms of Alice's quantum capabilities. If Alice's input is fully classical, i.e. some state |x , where x ∈ {0, 1} n , then Alice would only require a constant-size quantum memory. Even so, the protocol requires Alice and Bob to exchange multiple quantum messages. This, however, is not the case with UBQC which limits the quantum communication to one quantum message sent from Alice to Bob at the beginning of the protocol. Let us now briefly state the main ideas of that protocol.
Universal Blind Quantum Computation (UBQC). In UBQC the objective is to not only hide the input (and output) from Bob, but also the circuit which will act on that input 11 [37]. As in the previous case, Alice would like to delegate to Bob the application of some circuit C on her input (which, for simplicity, we will assume is classical). This time, however, we view C as an MBQC computation 12 . By considering some universal graph state, |G , such as the brickwork state (see Figure 17), Alice can convert C into a description of |G (the graph G) along with the appropriate measurement angles for the qubits in the graph state. By the property of the universal graph state, the graph G would be the same for all circuits C having the same number of gates as C. Hence, if she were to send this description to Bob, it would not reveal to him the circuit C, merely an upper bound on its size. It is, in fact, the measurement angles and the ordering of the measurements (known as flow ) that uniquely characterise C [47]. But the measurement angles are chosen assuming all qubits in the graph state were initially prepared in the |+ state. Since these are XY-plane measurements, as explained in Subsection 7.1, the probabilities, for the two possible outcomes, depend only on the difference between the measurement angle and the preparation angle of the state, which is 0, in this case 13 . Suppose instead that each qubit, indexed i, in the cluster state, were instead prepared in the state |+ θi . Then, if the original measurement angle for qubit i was φ i , to preserve the relative angles, the new value would be φ i + θ i . If the values for θ i are chosen at 10 For instance, her initial state ρ could contain a number of |0 qubits that is equal to the number of T gates in the circuit. 11 This is also possible in Childs' protocol by simply encoding the description of the circuit C in the input and asking Bob to run a universal quantum circuit. The one-time padded input that is sent to Bob would then comprise of both the description of C as well as x, the input for C. 12 For a brief overview of MBQC see Subsection 7.2. 13 This remains true even if the qubits have been entangled with the CZ operation. random, then they effectively act as a one-time pad for the original measurement angles φ i . This means that if Bob does not know the preparation angles of the qubits and were instructed to measure them at the updated angles φ i + θ i , to him, these angles would be indistinguishable from random, irrespective of the values of φ i . He would, however, learn the measurement outcomes of the MBQC computation. But there is a simple way to hide this information as well. One can flip the probabilities of the measurement outcomes for a particular state by performing a π rotation around Z axis. In other words, the updated measurement angles will be δ i = φ i + θ i + r i π, where r i is sampled randomly from {0, 1}.
To recap, UBQC works as follows: (1) Alice chooses an input x and a quantum computation C that she would like Bob to perform on |x .
(2) She converts x and C into a pair (G, {φ i } i ), where |G is an N -qubit universal graph state (with an established ordering for measuring the qubits), N = O(|C|) and {φ i } i is the set of computation angles allowing for the MBQC computation of C |x .
(4) She then prepares the states |+ θi and sends them to Bob, who is instructed to entangle them, using CZ operations, according to the graph structure G.
(5) Alice then asks Bob to measure the qubits at the angles δ i = φ i +θ i +r i π and return the measurement outcomes to her. Here, φ i is an updated version of φ i that incorporates corrections resulting from previous measurements, as in the description of MBQC given in Subsection 7.2.
(6) After all the measurements have been performed, Alice undoes the r i one-time padding of the measurement outcomes, thus recovering the true outcome of the computation.
The protocol is illustrated schematically in Figure 3, reproduced from [48] (the variables b 1 , b 2 , b 3 indicate measurement outcomes).

Fig. 3: Universal Blind Quantum Computation
We can see that as long as Bob does not know the values of the θ i and r i variables, the measurements he is asked to perform, as well as their outcomes, will appear totally random to him. The reason why Bob cannot learn the values of θ i and r i from the qubits prepared by Alice is due to the limitation, in quantum mechanics, that one cannot distinguish between non-orthogonal states. In fact, a subsequent paper by Dunjko and Kashefi shows that Alice can utilize any two non-overlapping, non-orthogonal states in order to perform UBQC [49].

Prepare-and-send protocols
We start by reviewing QPIP protocols in which the only quantum capability of the verifier is to prepare and send constant-size quantum states to the prover (no measurement). The verifier must use this capability in order to delegate the application of some BQP circuit, C, on an input |ψ 14 . Through interaction with the prover, the verifier will attempt to certify that the correct circuit was indeed applied on her input, with high probability, aborting the protocol otherwise.
There are three major approaches that fit this description and we devote a subsection to each of them: 1. Subsection 2.1: two protocols based on quantum authentication, developed by Aharonov, Ben-Or, Eban and Mahadev [26,27]. 2. Subsection 2.2: a trap-based protocol, developed by Fitzsimons and Kashefi [28]. 3. Subsection 2.3: a scheme based on repeating indistinguishable runs of tests and computations, developed by Broadbent [29].
In the context of prepare-and-send protocols, it is useful to provide more refined notions of completeness and soundness than the ones in the definition of a QPIP protocol. This is because, apart from knowing that the verifier wishes to delegate a BQP computation to the prover, we also know that it prepares a particular quantum state and sends it to the prover to act with some unitary operation on it (corresponding to the quantum circuit associated with the BQP computation). This extra information allows us to define δ-correctness and -verifiability. We start with the latter: Definition 2 ( -verifiability). Consider a delegated quantum computation protocol between a verifier and a prover and let the verifier's quantum state be |ψ |f lag , where |ψ is the input state to the protocol and |f lag is a flag state denoting whether the verifier accepts (|f lag = |acc ) or rejects (|f lag = |rej ) at the end of the protocol. Consider also the quantum channel Enc s (encoding), acting on the verifier's state, where s denotes a private random string, sampled by the verifier from some distribution p(s). Let P honest denote the CPTP map corresponding to the honest action of the prover in the protocol (i.e. following the instructions of the verifier) acting on the verifier's state. Additionally, define: as a projection onto the orthogonal complement of the correct output: and on acceptance for the flag state: |acc s acc s | = T r input (P honest (Enc s (|ψ ψ| ⊗ |acc acc|))) We say that such a protocol is -verifiable (with 0 ≤ ≤ 1), if for any action P, of the prover, we have that 15 : T r s p(s)P s incorrect P(Enc s (|ψ ψ| ⊗ |acc acc|)) ≤ Essentially, this definition says that the probability for the output of the protocol to be incorrect and the verifier accepting, should be bounded by . As a simple mathematical statement we would write this as the joint distribution: P r(incorrect, accept) ≤ One could also ask whether P r(incorrect|accept) should also be upper bounded. Indeed, it would seem like this conditional distribution is a better match for our intuition regarding the "probability of accepting an incorrect outcome". However, upon closer scrutiny, we find that the conditional distribution cannot be upper bounded. To understand why, note that we can express the conditional distribution as: Now, it is true that if P r(accept) is close to 1 and the joint distribution is upper bounded, then the conditional distribution will also be upper bounded. However, suppose the prover behaves in such a 15 An alternative to Equation 9 is: T D(ρout, p |Ψ s out Ψ s out | ⊗ |acc s acc s | + (1 − p)ρ ⊗ |rej s rej s |) ≤ , for some 0 ≤ p ≤ 1 and some density matrix ρ. In other words, the output state of the protocol, ρout, is close to a state which is a mixture of the correct output state with acceptance and an arbitrary state and rejection. This definition can be more useful when one is interested in a quantum output for the protocol (i.e. the prover returns a quantum state to the verifier). Such a situation is particularly useful when composing verification protocols [20,[50][51][52].
way that it causes the verifier to reject most of the time. Moreover, suppose that the joint distribution P r(incorrect, accept) has a fixed but non-zero value 16 . In that case, the probability of acceptance would be very small and we can no longer bound the conditional probability. Therefore, the quantity that we will generally be interested in, and the one that will always be bounded in verification protocols is the joint probability P r(incorrect, accept).
We now define δ-correctness: Definition 3 (δ-correctness). Consider a delegated quantum computation protocol between a verifier and a prover. Using the notation from Definition 2, and letting: be the projection onto the correct output and on acceptance for the flag state, we say that such a protocol is δ-correct (with 0 ≤ δ ≤ 1), if for all strings s we have that: T r (P s correct P honest (Enc s (|ψ ψ| ⊗ |acc acc|))) ≥ δ This definition says that when the prover behaves honestly, the verifier obtains the correct outcome, with high probability, for any possible choice of its secret parameters. If a prepare-and-send protocol has both δ-correctness and -verifiability, for some δ > 0, < 1, it will also have completeness δ(1/2 + 1/poly(n)) and soundness as a QPIP protocol, where n is the size of the input. The reason for the asymmetry in completeness and soundness is that in the definition of δ-correctness we require that the output quantum state of the protocol is δ-close to the output quantum state of the desired computation. But the computation outcome is dictated by a measurement of this state, which succeeds with probability at least 1/2 + 1/poly(n), from the definition of BQP. Combining these facts leads to δ(1/2 + 1/poly(n)) completeness. It follows that for this to be a valid QPIP protocol it must be that δ(1/2 + 1/poly(n)) − ≥ 1/poly(n), for all inputs. For simplicity, we will instead require δ/2 − ≥ 1/poly(n), which implies the previous inequality. As we will see, for all prepareand-send protocols δ = 1. This condition is easy to achieve by simply designing the protocol so that the honest behaviour of the prover leads to the correct unitary being applied to the verifier's quantum state. Therefore, the main challenge with these protocols will be to show that ≤ 1/2 − 1/poly(n).

Quantum authentication-based verification
This subsection is dedicated to the two protocols presented in [26,27] by Aharonov et al. These protocols are extensions of Quantum Authentication Schemes (QAS), a security primitive introduced in [53] by Barnum et al. A QAS is a scheme for transmitting a quantum state over an insecure quantum channel and being able to indicate whether the state was corrupted or not. More precisely, a QAS involves a sender and a receiver. The sender has some quantum state |ψ |f lag that it would like to send to the receiver over an insecure channel. The state |ψ is the one to be authenticated, while |f lag is an indicator state used to check whether the authentication was performed successfully. We will assume that |f lag starts in the state |acc . It is also assumed that the sender and the receiver share some classical key k, drawn from a probability distribution p(k). To be able to detect the effects of the insecure channel on the state, the sender will first apply some encoding procedure Enc k thus obtaining ρ = k p(k)Enc k (|ψ |acc ). This state is then sent over the quantum channel where it can be tampered with by an eavesdropper resulting in a new state ρ . The receiver, will then apply a decoding procedure to this state, resulting in Dec k (ρ ) and decide whether to accept or reject by measuring the flag subsystem 17 . Similar to verification, this protocol must satisfy two properties: 1. δ-correctness. Intuitively this says that if the state sent through the channel was not tampered with, then the receiver should accept with high probability (at least δ), irrespective of the used keys. More formally, for 0 ≤ δ ≤ 1, let: be the projector onto the correct state |ψ and on acceptance for the flag state. Then, it must be the case that for all keys k: T r (P correct Dec k (Enc k (|ψ ψ| ⊗ |acc acc|))) ≥ δ 16 For instance, if the prover provides random responses to the verifier there is a non-zero chance that one instance of these responses will pass all of the verifier's tests and cause it to accept an incorrect outcome. 17 The projectors for the measurement are assumed to be Pacc = |acc acc|, for acceptance and Prej = I − |acc acc| for rejection.
2. -security. This property states that for any deviation that the eavesdropper applies on the sent state, the probability that the resulting state is far from ideal and the receiver accepts is small. Formally, for 0 ≤ ≤ 1, let: be the projector onto the orthogonal complement of the correct state |ψ , and on acceptance, for the flag state. Then, it must be the case that for any CPTP action, E, of the eavesdropper, we have: To make the similarities between QAS and prepare-and-send protocols more explicit, suppose that, in the above scheme, the receiver were trying to authenticate the state U |ψ instead of |ψ , for some unitary U . In that case, we could view the sender as the verifier at the beginning of the protocol, the eavesdropper as the prover and the receiver as the verifier at the end of the protocol. This is illustrated in Figure 4, reproduced from [48]. If one could therefore augment a QAS scheme with the ability of applying a quantum circuit on the state, while keeping it authenticated, then one would essentially have a prepare-and-send verification protocol. This is what is achieved by the two protocols of Aharonov et al.

Fig. 4: QAS-based verification
Clifford-QAS VQC. The first protocol, named Clifford QAS-based Verifiable Quantum Computing (Clifford-QAS VQC) is based on a QAS which uses Clifford operations in order to perform the encoding procedure. Strictly speaking, this protocol is not a prepare-and-send protocol, since, as we will see, it involves the verifier performing measurements as well. However, it is a precursor to the second protocol from [26,27], which is a prepare-and-send protocol. Hence, why we review the Clifford-QAS VQC protocol here.
Let us start by explaining the authentication scheme first. As before, let |ψ |f lag be the state that the sender wishes to send to the receiver and k be their shared random key. We will assume that |ψ is an n-qubit state, while |f lag is an m-qubit state. Let t = n + m and C t be the set of t-qubit Clifford operations. We also assume that each possible key, k, can specify a unique t-qubit Clifford operation, denoted C k 18 . The QAS works as follows: (1) The sender performs the encoding procedure Enc k . This consists of applying the Clifford operation C k to the state |ψ |acc .
(2) The state is sent through the quantum channel.
(3) The receiver applies the decoding procedure Dec k which consists of applying C † k to the received state.

(4)
The receiver measures the f lag subsystem and accepts if it is in the |acc state.
We can see that this protocol has correctness δ = 1, since, the sender and receiver's operations are exact inverses of each other and, when there is no intervention from the eavesdropper, they will perfectly cancel out. It is also not too difficult to show that the protocol achieves security = 2 −m . We will include a sketch proof of this result as all other proofs of security, for prepare-and-send protocols, rely on similar ideas. Aharonov et al start by using the following lemma: Lemma 1 (Clifford twirl). Let P 1 , P 2 be two operators from the n-qubit Pauli group, such that P 1 = P 2 19 . For any n-qubit density matrix ρ it is the case that: To see how this lemma is applied, recall that any CPTP map admits a Kraus decomposition, so we can express the eavesdropper's action as: where, {K i } i is the set of Kraus operators, satisfying: Additionally, recall that the n-qubit Pauli group is a basis for all 2 n × 2 n matrices, which means that we can express each Kraus operator as: where j ranges over all indices for n-qubit Pauli operators and {α ij } i,j is a set of complex numbers such that: For simplicity, assume that the phase information of each Pauli operator, i.e. whether it is +1, −1, +i or −i, is absorbed in the α ij terms. One can then re-express the eavesdropper's deviation as: We would now like to use Lemma 1 to see how this deviation affects the encoded state. Given that the encoding procedure involves applying a random Clifford operation to the initial state, which we will denote |Ψ in = |ψ |acc , the state received by the eavesdropper will be: Acting with E on this state and using Equation 19 yields: Now using Lemma 1 we can see that all terms which act with different Pauli operations on both sides of C l |Ψ in Ψ in | C † l will vanish, resulting in: 19 Technically, what is required here is that |P1| = |P2|, since global phases are ignored.
which is a convex combination of Pauli operations acting on the encoded state 20 . The receiver takes this state and applies the decoding operation, which involves inverting the Clifford that was applied by the sender. This will produce the state: Let us take a step back and understand what happened. We saw that any general map can be expressed as a combination of Pauli operators acting on both sides of the target state, ρ. Importantly, the Pauli operators on both sides needed not be equal. However, if the target state is an equal mixture of Clifford operations applied on some other state, in our case |Ψ in Ψ in |, the Clifford twirl lemma makes all non-equal Pauli terms vanish. One is then left with a convex combination of Pauli operators on the target state. If one then undoes the random Clifford operation on this state, each Pauli term in the convex combination will be conjugated by all Cliffords in the set C t . Since conjugating a Pauli by Cliffords results in a new Pauli, it can be shown that the state becomes a mixture of the original |Ψ in Ψ in | and a uniform convex combination of non-identity Paulis acting on |Ψ in Ψ in |. Mathematically, this means: where 0 ≤ β ≤ 1. The last element in the proof is to compute T r(P incorrect σ). Since the first term in the mixture is the ideal state, we will be left with: The terms in the summation will be non-zero whenever P i acts as identity on the flag subsystem. The number of such terms can be computed to be exactly 4 n 2 m − 1 and using the fact that t = m + n and 1 − β ≤ 1, we have: concluding the proof. As mentioned, in all prepare-and-send protocols we assume that the verifier will prepare some state |ψ on which it wants to apply a quantum circuit denoted C. Since we are assuming that the verifier has a constant-size quantum device, the state |ψ will be a product state, i.e. |ψ = |ψ 1 ⊗ |ψ 2 ⊗ ... ⊗ |ψ n . For simplicity, assume each |ψ i is one qubit, though any constant number of qubits is allowed. In Clifford-QAS VQC the verifier will use the prover as an untrusted quantum storage device. Specifically, each |ψ i , from |ψ , will be paired with a constant-size flag system in the accept state, |acc , resulting in a block of the form |block i = |ψ i |acc . Each block will be encoded, by having a random Clifford operation applied on top of it. The verifier prepares these blocks, one at a time, for all i ∈ {1, ...n}, and sends them to the prover. The prover is then asked to return pairs of blocks to the verifier so that she may apply gates from C on them (after undoing the Clifford operations). The verifier then applies new random Cliffords on the blocks and sends them back to the prover. The process continues until all gates in C have been applied.
But what if the prover corrupts the state or deviates in some way? This is where the QAS enters the picture. Since each block has a random Clifford operation applied, the idea is to have the verifier use the Clifford QAS scheme to ensure that the quantum state remains authenticated after each gate in the quantum circuit is applied. In other words, if the prover attempts to deviate at any point resulting in a corrupted state, this should be detected by the authentication scheme. Putting everything together, the protocol works as follows: (1) Suppose the input state that the verifier intends to prepare is |ψ = |ψ 1 ⊗|ψ 2 ⊗...⊗|ψ n , where each |ψ i is a one qubit state 21 . Also let C be quantum circuit that the verifier wishes to apply on |ψ . The verifier prepares (one block at a time) the state |ψ |f lag = |block 1 ⊗ |block 2 ⊗ ... ⊗ |block n , where |block i = |ψ i |acc and each |acc state consists of a constant number m of qubits. Additionally let the size of each block be t = m + 1.
(2) The verifier applies a random Clifford operation, from the set C t on each block and sends it to the prover.
(3) The verifier requests a pair of blocks, (|block i , |block j ), from the prover, in order to apply a gate from C on the corresponding qubits, (|ψ i , |ψ j ). Once the blocks have been received, the verifier undoes the random Cliffords and measures the flag registers, aborting if these are not in the |acc state. Otherwise, the verifier performs the gate from C, applies new random Cliffords on each block and sends them back to the prover. This step repeats until all gates in C have been performed.
(4) Once all gates have been performed, the verifier requests all the blocks (one by one) in order to measure the output. As in the previous step, the verifier will undo the Clifford operations first and measure the flag registers, aborting if any of them are not in the |acc state.
We can see that the security of this protocol reduces to the security of the Clifford QAS. Moreover, it is also clear that if the prover behaves honestly, then the verifier will obtain the correct output state exactly. Hence: For a fixed constant m > 0, Clifford-QAS VQC is a prepare-and-send QPIP protocol having correctness δ = 1 and verifiability = 2 −m .
Poly-QAS VQC. The second protocol in [26,27], is referred to as Polynomial QAS-based Verifiable Quantum Computing (Poly-QAS VQC). It improves upon the previous protocol by removing the interactive quantum communication between the verifier and the prover, reducing it to a single round of quantum messages sent at the beginning of the protocol. To encode the input, this protocol uses a specific type of quantum error correcting code known as a polynomial CSS code [54]. We will not elaborate on the technical details of these codes as that is beyond the scope of this review. We only mention a few basic characteristics which are necessary in order to understand the Poly-QAS VQC protocol. The polynomial CSS codes operate on qudits instead of qubits. A q-qudit is simply a quantum state in a q-dimensional Hilbert space. The generalized computational basis for this space is given by {|i } i≤q . The code takes a q-qudit, |i , as well as |0 states, and encodes them into a state of t = 2d + 1 qudits as follows: where E is the encoding unitary, p ranges over polynomials of degree less than d over the field F q of integers mod q, and {α j } j≤t is a fixed set of m non-zero values from F q (it is assumed that q > t). The code can detect errors on at most d qudits and can correct errors on up to d 2 qudits (hence d 2 is the weight of the code). Importantly, the code is transversal for Clifford operations. Aharonov et al consider a slight variation of this scheme called a signed polynomial code, which allows one to randomize over different polynomial codes. The idea is to have the encoding (and decoding) procedure also depend on a key k ∈ {−1, +1} t as follows: The signed polynomial CSS code can be used to create a simple authentication scheme having security = 2 −d . This works by having the sender encode the state |Ψ in = |ψ |0 ⊗t−1 , where |ψ is a qudit to be authenticated, in the signed code and then one-time padding the encoded state. Note that the |0 ⊗t−1 part of the state is acting as a flag system. We are assuming that the sender and the receiver share both the sign key of the code and the key for the one-time padding. The one-time padded state is then sent over the insecure channel. The receiver undoes the pad and applies the inverse of the encoding operation. It then measures the last t − 1 qudits, accepting if and only if they are all in the |0 state. Proving security is similar to the Clifford QAS and relies on two results: Lemma 2 (Pauli twirl). Let P 1 , P 2 be two operators from the n-qudit Pauli group, denoted P n , such that P 1 = P 2 . For any n-qudit density matrix ρ it is the case that: This result is identical to the Clifford twirl lemma, except the Clifford operations are replaced with Paulis 22 . The result is also valid for qubits.
Lemma 3 (Signed polynomial code security). Let ρ = |ψ ψ| ⊗ |0 0| ⊗t−1 , be a state which will be encoded in the signed polynomial code, P = (I − |ψ ψ|) ⊗ |0 0| ⊗t−1 , be a projector onto the orthogonal complement of |ψ and on |0 t−1 , and Q ∈ P t \{I} be a non-identity Pauli operation on t qudits. Then it is the case that: Using these two results, and the ideas from the Clifford QAS scheme, it is not difficult to prove the security of the above described authentication scheme. As before, the eavesdropper's map is decomposed into Kraus operators which are then expanded into Pauli operations. Since the sender's state is one-time padded, the Pauli twirl lemma will turn the eavesdropper's deviation into a convex combination of Pauli deviations: which can be split into the identity and non-identity Paulis: where β Q are positive real coefficients satisfying: The receiver takes this state and applies the inverse encoding operation, resulting in: But now we know that = T r(P incorrect ρ), and using Lemma 3 together with the facts that T r(P incorrect |Ψ in Ψ in |) = 0 and that the β Q coefficients sum to 1 we end up with: There are two more aspects to be mentioned before giving the steps of the Poly-QAS VQC protocol. The first is that the encoding procedure for the signed polynomial code is implemented using the following interpolation operation: The inverse operation D † k can be though of as a decoding of one term from the superposition in Equation 28. Akin to Lemma 3, the signed polynomial code has the property that, when averaging over all sign keys, k, if such a term had a non-identity Pauli applied to it, when decoding it with D † k , the probability that its last d qudits are not |0 states is upper bounded by 2 −d .
The second aspect is that, as mentioned, the signed polynomial code is transversal for Clifford operations. However, in order to apply non-Clifford operations it is necessary to measure encoded states together with so-called magic states (which will also be encoded). This manner of performing gates is known as gate teleportation [55]. The target state, on which we want to apply a non-Clifford operation, and the magic state are first entangled using a Clifford operation and then the magic state is measured in the computational basis. The effect of the measurement is to have a non-Clifford operation applied on the target state, along with Pauli errors which depend on the measurement outcome. For the non-Clifford operations, Aharonov et al use Toffoli gates 23 .
Given all of these, the Poly-QAS VQC protocol works as follows: (1) Suppose the input state that the verifier intends to prepare is |ψ = |ψ 1 ⊗ |ψ 2 ⊗ ... ⊗ |ψ n , where each |ψ i is a q-qudit. Also suppose that the verifier wishes to apply the quantum circuit C on |ψ , which contains L Toffoli gates. The verifier prepares the state where t = 2d + 1 and each |M i is a 3-qudit magic state, used for performing Toffoli gates. Groups of t qubits will comprise a block as follows. The first n blocks are simply |block i = |ψ i |0 t−1 , with i ∈ {1, ..., n}. Next, we have the states of the form |M i |0 3t−3 which consist of 3 blocks, each. Each block, from such a state, will comprise of one qudit from |M i and a |0 t−1 state. Note that we can no longer represent these blocks as pure states, since the 3 qudits of a |M i state are entangled. So, to summarize, each block contains one qudit from either the state |ψ or a magic state |M i , together with a flag system, |0 t−1 .
(2) The verifier encodes each block in a signed polynomial code with a randomly chosen key k ∈ {−1, +1} t (the same key for each block) and then quantum one-time pads each block (using different keys for the padding of each block). The blocks are prepared and encoded in sequence (the verifier has the ability to process 3 blocks, or 3t qudits, at a time) and then sent to the prover.
(3) When applying Clifford operations, the verifier simply asks the prover to apply the gates in a transversal fashion. Since Cliffords commute with Paulis, the verifier then updates the one-time pad keys similar to Childs' protocol (see Subsection 1.1).
(4) When applying a Toffoli gate, the verifier asks the prover to measure 3 blocks, comprising a magic state, in the computational basis and report the measurement outcomes. It is assumed that the magic state was entangled, using a Clifford operation, with 3 target blocks on which the Toffoli gate is to be applied. The verifier undoes the (classical) one-time padding of the measurement outcomes and expects each of the 3 groups of measurement outcomes (associated with each of the 3 blocks) to be of the form [k 1 p(α 1 ), ..., k t p(α t )]. The verifier then takes these classical strings and turns them into states of the form |φ = |k 1 p(α 1 ) ... |k t p(α t ) (using her constant-sized quantum computer) 24 . She then applies D † k on each of these |φ states and checks that the last d qudits, of each state, are |0 , aborting otherwise. Assuming not-abort, the verifier instructs the prover to perform the appropriate Pauli corrections resulting from the gate teleportation.
(5) Once all gates have been performed, the verifier instructs the prover to measure all blocks in the computational basis. As in step 4, the verifier will then de-one-time pad the outcomes, apply D † k to each state of the form |φ (prepared from these outcomes), and check that the last d qudits are |0 , aborting otherwise.
The protocol is schematically illustrated in Figure 5.
As with the previous protocol, the security is based on the security of the authentication scheme. However, there is a significant difference. In the Clifford-QAS VQC protocol, one could always assume that the state received by the verifier was the correctly encoded state with a deviation on top that was independent of this encoding. However, in the Poly-QAS VQC protocol, the quantum state is never returned to the verifier and, moreover, the prover's instructed actions on this state are adaptive based on the responses of the verifier. Since the prover is free to deviate at any point throughout the protocol, if we try to commute all of his deviations to the end (i.e. view the output state as the correct state resulting from an honest run of the protocol, with a deviation on top that is independent of the secret parameters), we find that the output state will have a deviation on top which depends on the verifier's responses. Since the verifier's responses depend on the secret keys, we cannot directly use the security of the authentication scheme to prove that the protocol is 2 −d -verifiable.
The solution, as explained in [27], is to consider the state of the entire protocol comprising of the prover's system, the verifier's system and the transcript of all classical messages exchanged during the protocol. For a fixed interaction transcript, the prover's attacks can be commuted to the end of the protocol. This is because, if the transcript is fixed, there is no dependency of the prover's operations on the verifier's messages. We simply view all of his operations as unitaries acting on the joint system of his private memory, the input quantum state and the transcript. One can then use Lemma 2 and Lemma 3 to bound the projection of this state onto the incorrect subspace with acceptance. The whole state, however, will be a mixture of all possible interaction transcripts, but since each term is bounded and the probabilities of the terms in the mixture must add up to one, it follows that the protocol is 2 −d -verifiable: Before ending this subsection, let us briefly summarize the two protocols in terms of the verifier's resources. In both protocols, if one fixes the security parameter, , the verifier must have a O(log(1/ ))-size quantum computer. Additionally, both protocols are interactive with the total amount of communication (number of messages times the size of each message) being upper bounded by O(|C| · log(1/ )), where C is the quantum circuit to be performed 25 . However, in Clifford-QAS VQC, this communication is quantum whereas in Poly-QAS VQC only one quantum message is sent at the beginning of the protocol and the rest of the interaction is classical.

Trap-based verification
In this subsection we discuss Verifiable Universal Blind Quantum Computing (VUBQC), which was developed by Fitzsimons and Kashefi in [28]. The protocol is written in the language of MBQC and relies on two essential ideas. The first is that an MBQC computation can be performed blindly, using UBQC, as described in Subsection 1.1. The second is the idea of embedding checks or traps in a computation in order to verify that it was performed correctly. Blindness will ensure that these checks remain hidden and so any deviation by the prover will have a high chance of triggering a trap. Notice that this is similar to the QAS-based approaches where the input state has a flag subsystem appended to it in order to detect deviations and the whole state has been encoded in some way so as to hide the input and the flag subsystem. This will lead to a similar proof of security. However, as we will see, the differences arising from using MBQC and UBQC lead to a reduction in the quantum resources of the verifier. In particular, in VUBQC the verifier requires only the ability to prepare single qubit states, which will be sent to the prover, in contrast to the QAS-based protocols which required the verifier to have a constant-size quantum computer.
Recall the main steps for performing UBQC. The client, Alice, sends qubits of the form |+ θi to Bob, the server, and instructs him to entangle them according to a graph structure, G, corresponding to some universal graph state. She then asks him to measure qubits in this graph state at angles δ i = φ i + θ i + r i π, where φ i is the corrected computation angle and r i π acts a random Z operation which flips the measurement outcome. Alice will use the measurement outcomes, denoted b i , provided by Bob to update the computation angles for future measurements. Throughout the protocol, Bob's perspective is that the states, measurements and measurement outcomes are indistinguishable from random. Once all measurements have been performed, Alice will undo the r i padding of the final outcomes and recover her output. Of course, UBQC does not provide any guarantee that the output she gets is the correct one, since Bob could have deviated from her instructions.
Transitioning to VUBQC, we will identify Alice as the verifier and Bob as the prover. To augment UBQC with the ability to detect malicious behaviour on the prover's part, the verifier will introduce traps in the computation. How will she do this? Recall that the qubits which will comprise |G need to be entangled with the CZ operation. Of course, for XY-plane states CZ does indeed entangle the states. However, if either qubit, on which CZ acts, is |0 or |1 , then no entanglement is created. So suppose that we have a |+ θ qubit whose neighbours, according to G, are computational basis states. Then, this qubit will remain disentangled from the rest of the qubits in |G . This means that if the qubit is measured at its preparation angle, the outcome will be deterministic. The verifier can exploit this fact to certify that the prover is performing the correct measurements. Such states are referred to as trap qubits, whereas the |0 , |1 neighbours are referred to as dummy qubits. Importantly, as long as G's structure remains that of a universal graph state 26 and as long as the dummy qubits and the traps are chosen at random, adding these extra states as part of the UBQC computation will not affect the blindness of the protocol. The implication of this is that the prover will be completely unaware of the positions of the traps and dummies. The traps effectively play a role that is similar to that of the flag subsystem in the authentication-based protocols. The dummies, on the other hand, are there to ensure that the traps do not get entangled with the rest of qubits in the graph state. They also serve another purpose. When a dummy is in a |1 state, and a CZ acts on it and a trap qubit, in the state |+ θ , the effect is to "flip" the trap to |− θ (alternatively |− θ would have been flipped to |+ θ ). This means that if the trap is measured at its preparation angle, θ, the measurement outcome will also be flipped, with respect to the initial preparation. Conversely, if the dummy was initially in the state |0 , then no flip occurs. Traps and dummies, therefore, serve to also certify that the prover is performing the CZ operations correctly. Thus, by using the traps (and the dummies), the verifier can check both the prover's measurements and his entangling operations and hence verify his MBQC computation.
We are now ready to present the steps of VUBQC: (1) The verifier chooses an input x and a quantum computation C that she would like the prover to perform on |x 27 .
(2) She converts x and C into a pair (G, {φ i } i ), where |G is an N -qubit universal graph state (with an established ordering for measuring the qubits), which admits an embedding of T traps and D dummies. We therefore have that is the number of computation qubits used for performing C and {φ i } i≤Q is the associated set of computation angles 28 .
(4) She then prepares the T + Q states |+ θi , as well as D dummy qubits which are states chosen at random from {|0 , |1 }. All these states are sent to Bob, who is instructed to entangle them, using CZ operations, according to the graph structure G.
(5) Alice then asks Bob to measure the qubits as follows: computation qubits will be measured at where φ i is an updated version of φ i that incorporates corrections resulting from previous measurements; trap qubits will be measured at δ i = θ i +r i π; dummy qubits are measured at randomly chosen angles from {0, π/4, 2π/4, ...7π/4}. This step is interactive as Alice needs to update the angles of future measurements based on past outcomes. The number of rounds of interaction is proportional to the depth of C. If any of the trap measurements produce incorrect outcomes, Alice will abort upon completion of the protocol.
(6) Assuming all trap measurements succeeded, after all the measurements have been performed, Alice undoes the r i one-time padding of the measurement outcomes, thus recovering the outcome of the computation.

Fig. 6: Verifiable Universal Blind Quantum Computing
The protocol is illustrated schematically in Figure 6, where all the parameters have been labelled by their position, (i, j), in a rectangular cluster state.
One can see that VUBQC has correctness δ = 1, since if the prover behaves honestly then all trap measurements will produce the correct result and the computation will have been performed correctly. What about verifiability? We will first answer this question for the case where there is a single trap qubit (T = 1) at a uniformly random position in |G , denoted |+ θt . Adopting a similar notation to that from [28], we let: denote the outcome density operator of all classical and quantum messages exchanged between the verifier and the prover throughout the protocol, excluding the last round of measurements (which corresponds to measuring the output of the computation). Additionally, ν denotes the set of secret parameters of Alice (i.e. the positions of the traps and dummies as well as the sets {φ i } i , {θ i } i and {r i } i ); j ranges over the possible strategies of the prover 29 with j = 0 corresponding to the honest strategy; s is a binary vector which ranges over all possible corrected values of the measurement outcomes sent by the prover; lastly, ρ s ν,j is the state of the unmeasured qubits, representing the output state of the computation (prior to the final measurement). To match Definition 2, one also considers: be the projection onto the orthogonal complement of the correct output together with the trap state being projected onto acceptance. The dependence on ν, for the trap qubit, arises because the acceptance outcome depends on the states of the dummy neighbors for that qubit. This is because if one of the dummies is |1 , the CZ operation has the effect of flipping |+ θt to |− θt . Additionally, ν also encodes the position of this trap, in the graph state, as well as the Z flip specified by the r i parameter, for i = t. One then needs to find an such that: This is done in a manner similar to the proof of security for the Poly-QAS VQC scheme of the previous section 30 . Specifically, one fixes the interaction transcript for the protocol. In this case, any deviation 29 Since the prover is unbounded and is free to choose any of the uncountably many CPTP strategies, j should be thought more of as a symbolic parameter indicating that there is a dependence on the prover's strategy and whether or not this strategy is the ideal one. 30 Note that the security proof for Poly-QAS VQC was in fact inspired from that of the VUBQC protocol, as mentioned in [27].
that the prover performs is independent of the secret parameters of the verifier and can therefore be commuted to the end of the protocol. The outcome density operator B j (ν) can then be expressed as the ideal outcome with a deviation, E j , on top that is independent of ν: The deviation E j is then decomposed into Kraus operators which, in turn, are decomposed into Pauli operators leading to: where α ik (j) are the complex coefficients for the Pauli operators. The UBQC protocol ensures that, when summing over the secret parameters ν, the qubits sent by the verifier to the prover are effectively one-time padded. This means that one can use a version of the Pauli twirl Lemma 2 and get that: In other words, the resulting state, averaged over the secret parameters, is a convex combination of Pauli deviations. We are only interested in non-trivial deviations, i.e. deviations that can corrupt the output (and hence also flip the trap). The position of the trap qubit is randomized, so that it is equally likely that any of the N qubits is the trap. But if this is the case and we assume that non-trivial deviations have a non-zero weight in the convex combination, then one gets that the probability for the trap to be flipped is lower bounded by the uniform probability of 1/N . Hence, for the case of a single trap qubit one has = 1 − 1 N . If however, there are multiple trap states, the bound improves. Specifically, for a type of resource state called dotted-triple graph, the number of traps can be a constant fraction of the total number of qubits, yielding = 8/9. If the protocol is then repeated a constant number of times, d, with the verifier aborting if any of these runs gives incorrect trap outcomes, it can be shown that = (8/9) d [56]. Alternatively, if the input state and computation are encoded in an error correcting code of distance d, then one again obtains = (8/9) d . This is useful if one is interested in a quantum output, or a classical bit string output. If, instead, one would only like a single bit output (i.e. the outcome of the decision problem) then sequential repetition and taking the majority outcome is sufficient. The fault tolerant encoding need not be done by the verifier. Instead, the prover will simply be instructed to prepare a larger resource state which also offers topological error-correction. See [28,57,58] for more details. An important observation, however, is that the fault tolerant encoding, just like in the Poly-QAS VQC protocol, is used only to boost security and not for correcting deviations arising from faulty devices. This latter case is discussed in Section 5.2. To sum up: Theorem 3. For a fixed constant d > 0, VUBQC is a prepare-and-send QPIP protocol having correctness δ = 1 and verifiability = (8/9) d .
It should be noted that in the original construction of the protocol, the fault tolerant encoding, used for boosting security, required the use of a resource state having O(|C| 2 ) qubits. The importance of the dotted-triple graph construction is that it achieves the same level of security while keeping the number of qubits linear in |C|. The same effect is achieved by a composite protocol which combines the Poly-QAS VQC scheme, from the previous section, with VUBQC [52]. This works by having the verifier run small instances of VUBQC in order to prepare the encoded blocks used in the Poly-QAS VQC protocol. Because of the blindness property, the prover does not learn the secret keys used in the encoded blocks. The verifier can then run the Poly-QAS VQC protocol with the prover, using those blocks. This hybrid approach illustrates how composition can lead to more efficient protocols. In this case, the composite protocol maintains a single qubit preparation device for the verifier (as opposed to a O(log(1/ ))-size quantum computer) while also achieving linear communication complexity. We will encounter other composite protocols when reviewing entanglement-based protocols in Section 4.
Lastly, let us explicitly state the resources and overhead of the verifier throughout the VUBQC protocol. As mentioned, the verifier requires only a single-qubit preparation device, capable of preparing states of the form |+ θ , with θ ∈ {0, π/4, 2π/4, ...7π/4}, and |0 , |1 . The number of qubits needed is on the order of O(|C|). After the qubits have been sent to the prover, the two interact classically and the size of the communication is also on the order of O(|C|).

Verification based on repeated runs
The final prepare-and-send protocol we describe is the one defined by Broadbent in [29]. While the previous approaches relied on hiding a flag subsystem or traps in either the input or the computation, this protocol has the verifier alternate between different runs designed to either test the behaviour of the prover or perform the desired quantum computation. We will refer to this as the Test-or-Compute protocol. From the prover's perspective, the possible runs are indistinguishable from each other, thus making him unaware if he is being tested or performing the verifier's chosen computation. Specifically, suppose the verifier would like to delegate the quantum circuit C to be applied on the |0 ⊗n state 31 , where n is the size of the input. The verifier then chooses randomly between three possible runs: • Computation run. The verifier delegates C |0 ⊗n to the prover. • X-test run. The verifier delegates the identity computation on the |0 ⊗n state to the prover. • Z-test run. The verifier delegates the identity computation on the |+ ⊗n state to the prover.
It turns out that this suffices in order to test against any possible malicious behavior of the prover, with high probability. In more detail, the protocol uses a technique for quantum computing on encrypted data, described in [59], which is similar to Childs' protocol from Subsection 1.1, except it does not involve two-way quantum communication. The verifier will one-time pad either the |0 ⊗n state or the |+ ⊗n state and send the qubits to the prover. The prover is then instructed to apply the circuit C, which consists of the gates X, Z, H, T, CNOT. As we know, the Clifford operations commute with the one-time pad, so the verifier would only need to appropriately update the one-time pad to account for this. However, T gates do not commute with the pad. In particular, commuting them past the X gates introduces unwanted S operations. To resolve this issue, the verifier will use a particular gadget which will allow the prover to apply T and correct for S at the same time. This gadget is shown in Figure 7, reproduced from [29]. The gadget works in a gate teleportation fashion. For each qubit, labelled j, on which the prover should apply a T gate, the verifier sends a qubit of the form X d Z c S y T |+ , as well as the classical bit x = a ⊕ c ⊕ y, where a is the X padding of qubit j and c, d and y are chosen at random. The verifier then instructs the prover to apply a CNOT between the sent qubit and qubit j, effectively entangling them, and then measure qubit j in the computational basis. Lastly, the verifier instructs the prover to apply an S x gate to the sent qubit. The end result is that this qubit will be the same as the de-one-time padded qubit j but with a T and a new one-time pad acting on it. Importantly, the new pad is kept secret from the prover.
The T gate gadget allows the verifier to control the application of either a non-Clifford operation or a Clifford operation through gate teleportation. For note that if the verifier does not apply a T gate on the qubit sent to the prover, the resulting computation is Clifford. This is what allows the verifier to switch between the computation run and the two test runs. The prover cannot distinguish between the two cases, since his side of the gadget is identical in both instances. Thus, in a test run, the computation the prover performs will be Clifford and the verifier can simply update the one-time pad, of the input, accordingly. There is, however, one complication. In an X-test run, the input is |0 ⊗n and should remain this way until the end of the circuit, up to qubit flips resulting from the one-time pad. But any Hadamard gate in the circuit will map |0 to |+ . The same is true for Z-test runs, where |+ states can be mapped to |0 . To resolve this issue, Broadbent uses the following identities: 31 The preparation of a specific input |x can be done as part of the circuit C.
The idea is to have the prover implement each Hadamard operation in C by applying four H gates alternating with S = T 2 gates. Each T 2 operation is performed by using the T gate gadget twice. When the verifier chooses a computation run, she will apply the T gates in the gadget and therefore, via Equation 43, this leads to a Hadamard operation. Conversely, in a rest run, no T gates are applied, hence, from Equation 44, no Hadamard operation will act on the target qubit. Since the output is always measured, by the prover, in the computational basis, in an X-test run the verifier simply checks that the de-one-time padded output is |0 ⊗n . There is, in fact, an additional testing step being performed during an X-test run. Consider the T gadget for such a run in Figure 8, reproduced from [29]. [29] Note that the measurement bit, c, provided by the prover to the verifier should be an xor of the original X padding of the input and the updated X padding of the input. Checking the value of this bit allows the verifier to test that the gadget was applied correctly.
What about the Z-test run? In that case, the output should be the |+ ⊗n which, upon measurement, should collapse with equal probability into any of the 2 n possible binary strings. The verifier does not test for this. Instead, each H gate that should be applied by the prover has the effect of switching between the Z-test run and the X-test run. Thus, whenever a Hadamard is applied to a qubit, during a Z-test run, the verifier switches to an X-test run until the next Hadamard operation. In the X-test runs, the verifier will use the T gate gadget from Figure 8. These are the only checks that are performed in the Z-test run.
Putting everything together, the protocol starts by having the verifier choose an input x and a quantum computation C to act on this input (that includes preparing the input from the |0 ⊗n state). Then, the verifier will randomly choose to perform one of the following: • Computation run. The verifier one-time pads the |0 ⊗n state and sends it to the prover. The prover is then instructed to apply C on this state, such that for each T gate in the circuit the prover and the verifier interact in order to perform the T gadget. Additionally, any H in C is performed as in Equation 43. For Clifford operations, the verifier updates the one-time pad of the state accordingly. The prover is instructed to measure the output state of the circuit in the computational basis and return the outcome to the verifier. The verifier undoes the padding of this outcome and accepts if the output of the circuit indicates acceptance.
• X-test run. The verifier one-time pads the |0 ⊗n state and sends it to the prover. As in the computation run, for each T, the verifier and the prover will interact to run the T gate gadget. In this case, however, the verifier will use the T gate gadget from Figure 8, making the circuit effectively act as identity and checking that the prover is performing these gadgets correctly (rejecting otherwise). Additionally, the H gates in C will also act as identity, from Equation 44, as described previously. The verifier updates the one-time padding of the state accordingly for all gates in the circuit. Once the circuit is finished, the prover is instructed to measure the output in the computational basis and report the outcome to the verifier. The verifier accepts if the de-one-time padded output is |0 ⊗n .
• Z-test run. The verifier one-time pads the |+ ⊗n state and sends it to the prover. As in the Xtest run, the T gate gadgets will act as identity. The H operations that the prover performs will temporarily switch the Z-test run into an X-test run, in which the verifier uses the gadget from Figure 8 to check that prover implemented it correctly. Any subsequent H will switch back to a Z-test run. Additionally, the verifier updates the one-time padding of the state accordingly for all gates in the circuit. The prover is instructed to measure the output in the computational basis and report the outcome to the verifier, however in this case the verifier discards the output.
The asymmetry between the X-test run and the Z-test run stems from the fact that the output is always measured in the computational basis. This means that an incorrect output is one which has been bit-flipped. In turn, this implies that only X and Y operations on the output will act as deviations, since Z effectively acts as identity on computational basis states. If the circuit C does not contain any Hadamard gates and hence, the computation takes place entirely in the computational basis, then the X-test is sufficient for detecting such deviations. However, when Hadamard gates are present, this is no longer the case since deviations can occur in the conjugate basis, (|+ , |− ), as well. This is why the Z-test is necessary. Its purpose is to check that the prover's operations are performed correctly when switching to the conjugate basis. For this reason, a Hadamard gate will switch a Z-test run into an X-test run which provides verification using the T gate gadget.
In terms of the correctness of the protocol, we can see that if the prover behaves honestly then the correct outcome is obtained in the computation run and the verifier will accept the test runs, hence δ = 1 32 . For verifiability, the analysis is similar to the previous protocols. Suppose that |ψ is either the |0 ⊕n or the |+ ⊕n state representing the input. Additionally, assuming there are t T gates in C (including the ones used for performing the Hadamards), let |φ be the state of the t qubits that the verifier sends for the T gate gadgets. Then, the one-time padded state that the prover receives is: The prover is then instructed to follow the steps of the protocol in order to run the circuit C. Note that all of the operations that he is instructed to perform are Clifford operations. This is because any non-Clifford operation from C is performed with the T gate gadgets (which require only Cliffords) and the states from |φ , prepared by the verifier. In following the notation from [29], we denote the honest action of the protocol as C. As in the previous protocols, the prover's deviation can be commuted to the end of the protocol, so that it acts on top of the correct state. After expressing the deviation map in terms of Pauli operators one gets: Note that we have also commuted C past the one-time pad so that it acts on the state |ψ |φ , rather than on the one-time padded versions of these states. This is possible precisely because C is a Clifford operation and therefore commutes with Pauli operations. One can then assume that the verifier performs the decryption of the padding before the final measurement, yielding: We now use the Pauli twirl from Lemma 2 to get: which is a convex combination of Pauli attacks acting on the correct output state. If we now denote M to be the set of non-benign Pauli attacks (i.e. attacks which do not act as identity on the output of the computation), then one of the test runs will reject with probability: This is because non-benign Pauli X or Y operations are detected by the X-test run, whereas non-benign Pauli Z operations are detected by the Z-test run. Since either test occurs with probability 1/3, it follows that, the probability of the verifier accepting an incorrect outcome is at most 2/3, hence = 2/3. Note that when discussing the correctness and verifiability of the Test-or-Compute protocol, we have slightly abused the terminology, since this protocol does not rigorously match the established definitions for correctness and verifiability that we have used for the previous protocols. The reason for this is the fact that in the Test-or-Compute protocol there is no additional flag or trap subsystem to indicate failure. Rather, the verifier detects malicious behaviour by alternating between different runs. It is therefore more appropriate to view the Test-or-Compute protocol simply as a QPIP protocol having a constant gap between completeness and soundness: Theorem 4. Test-or-Compute is a prepare-and-send QPIP protocol having completeness 8/9 and soundness 7/9.
In terms of the verifier's quantum resources, we notice that, as with the VUBQC protocol, the only requirement is the preparation of single qubit states. All of these states are sent in the first round of the protocol, the rest of the interaction being completely classical.

Summary of prepare-and-send protocols
The protocols, while different, have the common feature that they all use blindness or have the potential to be blind protocols. Out of the five presented protocols, only the Poly-QAS VQC and the Test-or-Compute protocols are not explicitly blind since, in both cases, the computation is revealed to the server. However, it is relatively easy to make the protocols blind by encoding the circuit into the input (which is one-time padded). Hence, one can say that all protocols achieve blindness.
This feature is essential in the proof of security for these protocols. Blindness combined with either the Pauli twirl Lemma 2 or the Clifford twirl Lemma 1 have the effect of reducing any deviation of the prover to a convex combination of Pauli attacks. Each protocol then has a specific way of detecting such an attack. In the Clifford-QAS VQC protocol, the convex combination is turned into a uniform combination and the attack is detected by a flag subsystem associated with a quantum authentication scheme. A similar approach is employed in the Poly-QAS VQC protocol, using a quantum authentication scheme based on a special type of quantum error correcting code. The VUBQC protocol utilizes trap qubits and either sequential repetition or encoding in an error correcting code to detect Pauli attacks. Finally, the Test-or-Compute protocol uses a hidden identity computation acting on either the |0 ⊗n or |+ ⊗n states, in order to detect the malicious behavior of the prover.

Protocol
Verifier resources Communication 2-way quantum comm. Table 1: Comparison of prepare-and-send protocols. If denote as C the circuit that the verifier wishes to delegate to the prover, and as x the input to this circuit, then n = |x|, N = |C|. Additionally, T denotes the number of T gates in C, L denotes the number of Toffoli gates in C and denotes the verifiability of the protocols. The second column refers to the verifier's quantum resources. The third column quantifies the total communication complexity, both classical and quantum, of the protocols (i.e. number of messages times the size of a message).

Clifford-QAS VQC
Because of these differences, each protocol will have different "quantum requirements" for the verifier. For instance, in the authentication-based protocols, the verifier is assumed to be a quantum computer operating on a quantum memory of size O(log(1/ )), where is the desired verifiability of the protocol. In VUBQC and Test-or-Compute, however, the verifier only requires a device capable of preparing singlequbit states. Additionally, out of all of these protocols, only Clifford-QAS VQC requires 2-way quantum communication, whereas the other three require the verifier to send only one quantum message at the beginning of the protocol, while the rest of the communication is classical. These facts, together with the communication complexities of the protocols are shown in Table 1.
As mentioned, if we want to make the Poly-QAS VQC and Test-or-Compute protocols blind, the verifier will hide her circuit by incorporating it into the input. The input would then consist of an encoding of C and an encoding of x. The prover would be asked to perform controlled operations from the part of the input containing the description of C, to the part containing x, effectively acting with C on x. We stress that in this case, the protocols would have a communication complexity of O(|C| · log(1/ )), just like VUBQC and Clifford-QAS VQC 33 .

Receive-and-measure protocols
The protocols presented so far have utilized a verifier with a trusted preparation device (and potentially a trusted quantum memory) interacting with a prover having the capability of storing and performing operations on arbitrarily large quantum systems. In this section, we explore protocols in which the verifier possesses a trusted measurement device. The point of these protocols is to have the prover prepare a specific quantum state and send it to the verifier. The verifier's measurements have the effect of either performing the quantum computation or extracting the outcome of the computation. An illustration of receive-and-measure protocols is shown in Figure 9. For prepare-and-send protocols we saw that blindness was an essential feature for achieving verifiability. While most of the receive-and-measure protocols are blind as well, we will see that it is possible to perform verification without hiding any information about the input or computation, from the prover. Additionally, while in prepare-and-send protocols the verifier was sending an encoded or encrypted quantum state to the prover, in receive-and-measure protocols, the quantum state received by the verifier is not necessarily encoded or encrypted. Moreover, this state need not contain a flag or a trap subsystem. For this reason, we can no longer consistently define -verifiability and δ-correctness, as we did for prepare-and-send protocols. Instead, we will simply view receive-and-measure protocols as QPIP protocols.
The protocols presented in this section are:  [31]).
There is an additional receive-and-measure protocol by Gheorghiu, Wallden and Kashefi [34] which we refer to as Steering-based VUBQC. That protocol, however, is similar to the entanglement-based GKW protocol from Subsection 4.1. We will therefore review Steering-based VUBQC in that subsection by comparing it to the entanglement-based protocol.

Measurement-only verification
In this section we discuss the measurement-only protocol from [32], which we shall simply refer to as the measurement-only protocol. This protocol uses MBQC to perform the quantum computation, like the VUBQC protocol from Subsection 2.2, however the manner in which verification is performed is more akin to Broabdent's Test-or-Compute protocol, from Subsection 2.3. This is because, just like in the Testor-Compute protocol, the measurement-only approach has the verifier alternate between performing the computation or testing the prover's operations.
The key idea for this protocol, is the fact that graph states can be completely specified by a set of stabilizer operators. This fact was explained in Subsection 7.2. To reiterate the main points, recall that for a graph G, with associated graph state |G , if we denote as V (G) the set of vertices in G and as N G (v) the set of neighbours for a given vertex v, then the generators for the stabilizer group of |G are: for all v ∈ V (G). In other words, the K v operators generate the entire group of operators, O, such that O |G = |G . Note that another set of generators is given by the dual operators: When viewed as observables, stabilizers allow one to test that an unknown quantum state is in fact a particular graph state |G , with high probability. This is done by measuring random stabilizers of |G on multiple copies of the unknown quantum state. If all measurements return the +1 outcome, then, the unknown state is close in trace distance to |G . This is related to a concept known as self-testing, which is the idea of determining whether an unknown quantum state and an unknown set of observables are close to a target state and observables, based on observed statistics. We postpone a further discussion of this topic to the next section, since self-testing is ubiquitous in entanglement-based protocols.  As mentioned, the measurement-only protocol involves a testing phase and a computation phase. The prover will be instructed to prepare multiple copies of a 2D cluster state, |G , and send them, qubit by qubit, to the verifier. The verifier will then randomly use one of these copies to perform the MBQC computation, whereas the other copies are used for testing that the correct cluster state was prepared 34 . This testing phase will involve checking all possible stabilizers of |G . In particular, the verifier will divide the copies to be tested into two groups, which we shall refer to as the XZ group and the ZX group. In the XZ group of states, the verifier will measure the qubits according to the 2D cluster structure, starting with an X operator in the upper left corner of the lattice and then alternating between X and Z. In the ZX group, she will measure the dual operators by swapping X with Z. The two cases are illustrated in Figure 10.
Together, the measurement outcomes of the two groups can be used to infer the outcomes of all stabilizer measurements consisting of either K v operators or J v operators (but not combinations of both). For instance, assuming the measurement outcomes are ±1 (the eigenvalues of the operators), to compute the outcome of a K v or J v stabilizer, for some node v, the verifier simply takes product of the measurement outcomes for all nodes in {v} ∪ N v . These tests allow the verifier to certify that the prover is indeed preparing copies of the state |G . She can then use one of these copies to run the computation. Since the prover does not know which state the verifier will use for the computation, any deviation he implements has a high chance of being detected by one of the verifier's tests. Hence, the protocol works as follows: (1) The verifier chooses an input x and a quantum computation C.
(2) She instructs the prover to prepare 2k + 1 copies of a 2D cluster state, |G , for some constant k, and send all of the qubits, one at a time, to the verifier.
(3) The verifier randomly picks one copy to run the computation of C on x in an MBQC fashion. The remaining 2k copies are randomly divided into the XZ groups and the ZX group and measured, as described above, so as to check the stabilizers of |G .
(4) If all stabilizer measurement outcomes are successful (i.e. produced the outcome +1), then the verifier accepts the outcome of the computation, otherwise she rejects.
As with all protocols, completeness follows immediately, since if the prover behaves honestly, the verifier will accept the outcome of the computation. In the case of soundness, Hayashi and Morimae treat the problem as a hypothesis test. In other words, in the testing phase of the protocol the verifier is checking the hypothesis that the prover prepared 2k + 1 copies of the state |G . Hayashi and Morimae then prove the following theorem: be the verifier's confidence level in the testing phase of the measurement-only protocol. Then, the state used by the verifier for the computation, denoted ρ, satisfies: This theorem is essentially showing that as the number of copies of |G , requested by the verifier, increases, and the verifier accepts in the testing phase, one gets that the state ρ, used by the verifier for the computation, is close in trace distance to the ideal state, |G . The confidence level, α, represents the maximum acceptance probability for the verifier, such that the computation state, ρ, does not satisfy Equation 52. Essentially this represents the probability for the verifier to accept a computation state that is far from ideal. Hayashi and Morimae argue that the lower bound, α ≥ 1/(2k + 1), is tight, because if the prover corrupts one of the 2k + 1 states sent to the verifier, there is a 1/(2k + 1) chance that that state will not be tested and the verifier accepts.
If one now denotes with C the POVM that the verifier applies on the computation state in order to perform the computation of C, then it is the case that: What this means is that the distribution of measurement outcomes for the state ρ, sent by the prover in the computation run, is almost indistinguishable from the distribution of measurement outcomes for the ideal state |G . The soundness of the protocol is therefore upper bounded by . This implies that to achieve soundness below , for some > 0, the number of copies that the prover would have to prepare scales as O 1 α · 1 2 . In terms of the quantum capabilities of the verifier, she only requires a single qubit measurement device capable of measuring the observables: Recently, however, Morimae, Takeuchi and Hayashi have proposed a similar protocol which uses hypergraph states [33]. These states have the property that one can perform universal quantum computations by measuring only the Pauli observables (X, Y and Z). Hypergraph states are generalizations of graph states in which the vertices of the graph are linked by hyperedges, which can connect more than two vertices. Hence, the entangling of qubits is done with a generalized CZ operation involving multiple qubits. The protocol itself is similar to the one from [32], as the prover is required to prepare many copies of a hypergraph state and send them to the verifier. The verifier will then test all but one of these states using stabilizer measurements and use the remaining one to perform the MBQC computation. For a computation, C, the protocol has completeness lower bounded by 1−|C|e −|C| and soundness upper bounded by 1/ |C|. The communication complexity is higher than the previous measurement-only protocol, as the prover needs to send O(|C| 21 ) copies of the O(|C|)-qubit graph state, leading to a total communication cost of O(|C| 22 ). We end with the following result: Theorem 6. The measurement-only protocols are receive-and-measure QPIP protocols having an inverse polynomial gap between completeness and soundness.

Post-hoc verification
The protocols we have reviewed so far have all been based on cryptographic primitives. There were reasons to believe, in fact, that any quantum verification protocol would have to use some form of encryption or hiding. This is due to the parallels between verification and authentication, which were outlined in Section 2. However, it was shown that this is not the case when Morimae and Fitzsimons, and independently Hangleiter et al, proposed a protocol for post-hoc quantum verification [30,31]. The name "post-hoc" refers to the fact that the protocol is not interactive, requiring a single round of back and forth communication between the prover and the verifier. Moreover, verification is performed after the computation has been carried out. It should be mentioned that the first post-hoc protocol was proposed in [23], by Fitzsimons and Hajdušek, however, that protocol utilizes multiple quantum provers, and we review it in Subsection 4.3.
In this section, we will present the post-hoc verification approach, refered to as 1S-Post-hoc, from the perspective of the Morimae and Fitzsimons paper [30]. The reason for choosing their approach, over the Hangleiter et al one, is that the entanglement-based post-hoc protocols, from Subsection 4.3, are also described using similar terminology to the Morimae and Fitzsimons paper. The protocol of Hangleiter et al is essentially identical to the Morimae and Fitzsimons one, except it is presented from the perspective of certifying the ground state of a gapped, local Hamiltonian. Their certification procedure is then used to devise a verification protocol for a class of quantum simulation experiments, with the purpose of demonstrating a quantum computational advantage [31].
The starting point is the complexity class QMA, for which we have stated the definition in Subsection 7.3. Recall, that one can think of QMA as the class of problems for which the solution can be checked by a BQP verifier receiving a quantum state |ψ , known as a witness, from a prover. We also stated the definition of the k-local Hamiltonian problem, a complete problem for the class QMA, in Definition 9. We mentioned that for k = 2 the problem is QMA-complete. For the post-hoc protocol, Morimae and Fitzsimons consider a particular type of 2-local Hamiltonian known as an XZ-Hamiltonian.
To define an XZ-Hamiltonian we introduce some helpful notation. Consider an n-qubit operator S, which we shall refer to as XZ-term, such that S = n j=1 P j , with P j ∈ {I, X, Z}. Denote w X (S) as the X-weight of S, representing the total number of j's for which P j = X. Similarly denote w Z (S) as the Z-weight for S. An XZ-Hamiltonian is then a 2-local Hamiltonian of the form H = i a i S i , where the a i 's are real numbers and the S i 's are XZ-terms having w X (S i ) ≤ 1 and w Z (S i ) ≤ 1. Essentially, as the name suggests, an XZ-Hamiltonian is one in which each local term has at most one X operator and one Z operator.
The 1S-Post-hoc protocol starts with the observation that BQP ⊆ QMA. This means that any problem in BQP can be viewed as an instance of the 2-local Hamiltonian problem. Therefore, for any language L ∈ BQP and input x, there exists an XZ-Hamiltonian, H, such that the smallest eigenvalue of H is less than a when x ∈ L or larger than b, when x ∈ L, where a and b are a pair of numbers satisfying b − a ≥ 1/poly(|x|). Hence, the lowest energy eigenstate of H (also referred to as ground state), denoted |ψ , is a quantum witness for x ∈ L. In a QMA protocol, the prover would be instructed to send this state to the verifier. The verifier then performs a measurement on |ψ to estimate its energy, accepting if the estimate is below a and rejecting otherwise. However, we are interested in a verification protocol for BQP problems where the verifier has minimal quantum capabilities. This means that there will be two requirements: the verifier can only perform single-qubit measurements; the prover is restricted to BQP computations. The 1S-Post-hoc protocol satisfies both of these constraints.
The first requirement is satisfied because estimating the energy of a quantum state, |ψ , with respect to an XZ-Hamiltonian H, can be done by measuring one of the observables S i on the state |ψ . Specifically, it is shown in [62] that if one chooses the local term S i according to a probability distribution given by the normalized terms |a i |, and measures |ψ with the S i observables, this provides an estimate for the energy of |ψ . Since H is an XZ-Hamiltonian, this entails performing at most one X measurement and one Z measurement. This implies that the verifier need only perform single-qubit measurements.
For the second requirement, one needs to show that for any BQP computation, there exists an XZ-Hamiltonian such that the ground state can be prepared by a polynomial-size quantum circuit. Suppose the computation that the verifier would like to delegate is denoted as C and the input for this computation is x. Given what we have mentioned above, regarding the local Hamiltonian problem, it follows that there exists an XZ-Hamiltonian H and numbers a and b, with b − a ≥ 1/poly(|x|), such that if C accepts x with high probability then the ground state of H has energy below a, otherwise it has energy above b. It was shown in [63,64], that starting from C and x one can construct an XZ-Hamiltonian satisfying this property and which also has a ground state that can be prepared by a BQP machine. The ground state is known as the Feynman-Kitaev clock state. To describe this state, suppose the circuit C has T gates (i.e. T = |C|) and that these gates, labelled in the order in which they are applied, are denoted {U i } T i=0 . For i = 0 we assume U 0 = I. The Feynman-Kitaev state is the following: This is essentially a superposition over all time steps of the time evolved state in the circuit C. Hence, the state can be prepared by a BQP machine. The XZ-Hamiltonian, proposed by Kempe, Kitaev and Regev [64], is then a series of 2-local constraints that are all simultaneously satisfied by this state.
We can now present the steps of the 1S-Post-hoc protocol: (1) The verifier chooses a quantum circuit, C, and an input x to delegate to the prover.
(1) The verifier computes the terms a i of the XZ-Hamiltonian, H = i a i S i , having as a ground state the Feynman-Kitaev state associated with C and x, denoted |ψ .
(2) The verifier instructs the prover to send her |ψ , qubit by qubit. Note that the protocol is not blind, since the verifier informs the prover about both the computation C and the input x.
As mentioned, the essential properties that any QPIP protocol should satisfy are completeness and soundness. For the post-hoc protocol, these follow immediately from the local Hamiltonian problem. Specifically, we know that there exist a and b such that b − a ≥ 1/poly(|x|). When C accepts x with high probability, the state |ψ will be an eigenstate of H having eigenvalue smaller than a. Otherwise, any state, when measured under the H observable, will have an energy greater than b. Of course, the verifier is not computing the exact energy |ψ under H, merely an estimate. This is because she is measuring only one local term from H. However, it is shown in [30] that the precision of her estimate is also inverse polynomial in |x|. Therefore: Theorem 7. 1S-Post-hoc is a receive-and-measure QPIP protocol having an inverse polynomial gap between completeness and soundness.
The only quantum capability of the verifier is the ability to measure single qubits in the computational and Hadamard bases (i.e. measuring the Z and X observables). The protocol, as described, suggests that it is sufficient for the verifier to measure only two qubits. However, since the completeness-soundness gap decreases with the size of the input, in practice one would perform a sequential repetition of this protocol in order to boost this gap. It is easy to see that, for a protocol with a completeness-soundness gap of 1/p(|x|), for some polynomial p, in order to achieve a constant gap of at least 1 − , where > 0, the protocol needs to be repeated O(p(|x|) · log(1/ )) times. It is shown in [31,65] that p(|x|) is O(|C| 2 ), hence the protocol should be repeated O(|C| 2 · log(1/ )) times and this also gives us the total number of measurements for the verifier 35 . Note, however, that this assumes that each run of the protocol is independent of the previous one (in other words, that the states sent by the prover to the verifier in each run are uncorrelated). Therefore, the O(|C| 2 · log(1/ )) overhead should be taken as an i.i.d. (independent and identically distributed states) estimate. This is, in fact, mentioned explicitly in the Hangleiter et al result, where they explain that the prover should prepare "a number of independent and identical copies of a quantum state" [31]. Thus, when considering the most general case of a malicious prover that does not obey the i.i.d. constraint, one requires a more thorough analysis involving non-independent runs, as is done in the measurement-only protocol [32] or the steering-based VUBQC protocol [34].

Summary of receive-and-measure protocols
Receive-and-measure protocols are quite varied in the way in which they perform verification. The measurement-only protocols use stabilizers to test that the prover prepared a correct graph state and then has the verifier use this state to perform an MBQC computation. The 1S-Post-hoc protocol relies on the entirely different approach of estimating the ground state energy of a local Hamiltonian. Lastly, the steering-based VUBQC protocol, which we detail in Subsection 4.1, is different from these other two approaches by having the verifier remotely prepare the VUBQC states on the prover's side and then doing trap-based verification. Having such varied techniques leads to significant differences in the total number of measurements performed by the verifier, as we illustrate in Table 2. Of course, the number of measurements is not the only metric we use in comparing the protocols. Another important aspect is how many observables the verifier should be able to measure. The 1S-Posthoc protocol is optimal in that sense, since the verifier need only measure X and Z observables. Next is the hypergraph state measurement-only protocol which requires all three Pauli observables. Lastly, the other two protocols require the verifier to be able to measure the XY-plane observables X, Y, (X + Y)/ √ 2 and (X − Y)/ √ 2 plus the Z observable. Finally, we compare the protocols in terms of blindness, which we have seen plays an important role in prepare-and-send protocols. For receive-and-measure protocols, the 1S-Post-hoc protocol is the only one that is not blind. While this is our first example of a verification protocol that does not hide the computation and input from the prover, it is not the only one. In the next section, we review two other post-hoc protocols that are also not blind.

Entanglement-based protocols
The protocols discussed in the previous sections have been either prepare-and-send or receive-andmeasure protocols. Both types employ a verifier with some minimal quantum capabilities interacting with a single BQP prover. In this section we explore protocols which utilize multiple non-communicating provers that share entanglement and a fully classical verifier. The main idea will be for the verifier to distribute a quantum computation among many provers and verify its correct execution from correlations among the responses of the provers.
We classify the entanglement-based approaches as follows: 1. Subsection 4.1 three protocols which make use of the CHSH game, the first one developed by Reichardt, Unger and Vazirani [19], the second by Gheorghiu, Kashefi and Wallden [20] and the third by Hajdušek, Pérez-Delgado and Fitzsimons. 2. Subsection 4.2 a protocol based on self-testing graph states, developed by McKague [22]. 3. Subsection 4.3 two post-hoc protocols, one developed by Fitzsimons and Hajdušek [30] and another by Natarajan and Vidick [24].
Unlike the previous sections where, for the most part, each protocol was based on a different underlying idea for performing verification, entanglement-based protocols are either based on some form of rigid self-testing or on testing local Hamiltonians via the post-hoc approach. In fact, as we will see, even the post-hoc approaches employ self-testing. Of course, there are distinguishing features within each of these broad categories, but due to their technical specificity, we choose to label the protocols in this section by the initials of the authors.
Since self-testing plays such a crucial role in entanglement-based protocols, let us provide a brief description of the concept. The idea of self-testing was introduced by Mayers and Yao in [66], and is concerned with characterising the shared quantum state and observables of n non-communicating players in a non-local game. A non-local game is one in which a referee (which we will later identify with the verifier) will ask questions to the n players (which we will identify with the provers) and, based on their responses, decide whether they win the game or not. Importantly, we are interested in games where there is a quantum strategy that outperforms a classical strategy. By a classical strategy, we mean that the players can only produce local correlations 36 . Conversely, in a quantum strategy, the players are allowed to share entanglement in order to produce non-local correlations and achieve a higher win rate. Even so, there is a limit to how well the players can perform in the game. In other words, the optimal quantum strategy has a certain probability of winning the game, which may be less than 1. Self-testing results are concerned with non-local games in which the optimal quantum strategy is unique, up to local isometries on the players' systems. This means that if the referee observes a near maximal win rate for the players, in the game, she can conclude that they are using the optimal strategy and can therefore characterise their shared state and their observables, up to a local isometries. More formally, we give the definition of self-testing, adapted from [67] and using notation similar to that of [24]: Definition 4 (Self-testing). Let G denote a game involving n non-communicating players denoted . Each player will receive a question from a set, Q and reply with an answer from a set A. Thus, each P i can be viewed as a mapping from Q to A. There exists some condition establishing which combinations of answers to the questions constitutes a win for the game. Let ω * (G) denote the maximum winning probability of the game for players obeying quantum mechanics.
The mappings P i are implemented by a measurement strategy S = (|ψ , {O j i } ij ) consisting of a state |ψ shared among the n players and local observables {O j i } j , for each player P i . We say that the game G self-tests the strategy S, with robustness = (δ), for some δ > 0, if, for any strategyS = (|ψ , {Õ j i } ij ) achieving winning probability ω * (G) − there exists a local isometry Φ = n i=1 Φ i and a state |junk such that: and for all j:

Verification based on CHSH rigidity
RUV protocol. In [68], Tsirelson gave an upper bound for the total amount of non-local correlations shared between two non-communicating parties, as predicted by quantum mechanics. In particular, consider a two-player game consisting of Alice and Bob. Alice is given a binary input, labelled a, and Bob is given a binary input, labelled b. They each must produce a binary output and we label Alice's output as x and Bob's output as y. Alice and Bob win the game iff a · b = x ⊕ y. The two are not allowed to communicate during the game, however they are allowed to share classical or quantum correlations (in the form of entangled states). This defines a non-local game known as the CHSH game [69]. The optimal classical strategy for winning the game achieves a success probability of 75%, whereas, what Tsirelson proved, is that any quantum strategy achieves a success probability of at most cos 2 (π/8) ≈ 85.3%. This maximal winning probability, in the quantum case, can in fact be achieved by having Alice and Bob do the following. First, they will share the state |Φ + = (|00 + |11 )/ √ 2. If Alice receives input a = 0, then she will measure the Pauli X observable on her half of the |Φ + state, otherwise (when a = 1) she measures the Pauli Z observable. Bob, on input b = 0 measures (X + Z)/ √ 2, on his half of the Bell pair, 36 To define local correlations, consider a setting with two players, Alice and Bob. Each player receives an input, x for Alice and y for Bob and produces an output, denoted a for Alice and b for Bob. We say that the players' responses are locally correlated if: P r(a, b|x, y) = λ P r(a|x, λ)P r(b|y, λ)P r(λ). Where λ is known as a hidden variable. In other words, given this hidden variable, the players' responses depend only on their local inputs. and on input b = 1, he measures (X − Z)/ √ 2. We refer to this strategy as the optimal quantum strategy for the CHSH game. McKague, Yang and Scarani proved a converse of Tsierlson's result, by showing that if one observes two players winning the CHSH game with a near cos 2 (π/8) probability, then it can be concluded that the players' shared state is close to a Bell pair and their observables are close to the ideal observables of the optimal strategy (Pauli X and Z, for Alice, and (X + Z)/ √ 2 and (X − Z)/ √ 2, for Bob) [70]. This is effectively a self-test for a Bell pair. Reichardt, Unger and Vazirani then proved a more general result for self-testing a tensor product of multiple Bell states as well as the observables acting on these states [19] 37 . It is this latter result that is relevant for the RUV protocol so we give a more formal statement for it: Theorem 8. Suppose two players, Alice and Bob, are instructed to play n sequential CHSH games. Let the inputs, for Alice and Bob, be given by the n-bit strings a, b ∈ {0, 1} n . Additionally, let S = (|ψ ,Ã(a),B(b)) be the strategy employed by Alice and Bob in playing the n CHSH games, where |ψ is their shared state andÃ(a) andB(b) are their respective observables, for inputs a, b.
Suppose Alice and Bob win at least n(1 − )cos 2 (π/8) games, with = poly(δ, 1/n) for some δ > 0, such that → 0 as δ → 0 or n → ∞. Then, there exist a local isometry Φ = Φ A ⊗ Φ B and a state |junk such that: and: What this means is that, up to a local isometry, the players share a state which is close in trace distance to a tensor product of Bell pairs and their measurements are close to the ideal measurements. This result, known as CHSH game rigidity, is the key idea for performing multi-prover verification using a classical verifier. We will refer to the protocol in this section as the RUV protocol. 37 Note that the McKague, Yang and Scarani result could also be used to certify a tensor product of Bell pairs, by repeating the self-test of a single Bell pair multiple times. However, this would require each repetition to be independent of the previous one. In other words the states shared by Alice and Bob, as well as their measurement outcomes, should be independent and identically distributed (i.i.d.) in each repetition. The Reichardt, Unger and Vazirani result makes no such assumption.
Before giving the description of the protocol, let us first look at an example of gate teleportation, which we also mentioned when presenting the Poly-QAS VQC protocol of Subsection 2.1. Suppose two parties, Alice and Bob, share a Bell state |Φ + . Bob applies a unitary U on his share of the entangled state so that the joint state becomes (I ⊗ U ) |Φ + . Alice now takes an additional qubit, labelled |ψ and measures this qubit and the one from the |Φ + state in the Bell basis given by the states: The outcome of this measurement will be two classical bits which we label b 1 and b 2 . After the measurement, the state on Bob's system will be U X b1 Z b2 |ψ . Essentially, Bob has a one-time padded version of |ψ with the U gate applied. We now describe the RUV protocol. It uses two quantum provers but can be generalized to any number of provers greater than two. Suppose that Alice and Bob are the two provers. They are allowed to share an unbounded amount of quantum entanglement but are not allowed to communicate during the protocol. A verifier will interact classically with both of them in order to delegate and check an arbitrary quantum computation specified by the quantum circuit C. The protocol consists in alternating randomly between four sub-protocols: • CHSH games. In this subprotocol, the verifier will simply play CHSH games with Alice and Bob.
To be precise, the verifier will repeatedly instruct Alice and Bob to perform the ideal measurements of the CHSH game. She will collect the answers of the two provers (which we shall refer to as CHSH statistics) and after a certain number of games, will compute the win rate of the two provers. The verifier is interested in the case when Alice and Bob win close to the maximum number of games as predicted by quantum mechanics. Thus, at the start of the protocol she takes = poly(1/|C|) and accepts the statistics produced by Alice and Bob if and only if they win at least a fraction (1 − )cos 2 (π/8) of the total number of games. Using the rigidity result, this implies that Alice and Bob share a state which is close to a tensor product of perfect Bell states (up to a local isometry). This step is schematically illustrated in Figure 11.
• State tomography. This time the verifier will instruct Alice to perform the ideal CHSH game measurements, as in the previous case. However, she instructs Bob to measure his halves of the entangled states so that they collapse to a set of resource states which will be used to perform gate teleportation. The resource states are chosen so that they are universal for quantum computation. Specifically, in the RUV protocol, the following resource states are used: {P |0 , (HP) 2 |Φ + , (GY) 2 |Φ + , CNOT 2,4 P 2 Q 4 (|Φ + ⊗ |Φ + ) : P, Q ∈ {X, Y, Z, I}}, where G = exp −i π 8 Y and the subscripts indicate on which qubits the operators act. Assuming Alice and Bob do indeed share Bell states, Bob's measurements will collapse Alice's states to the same resource states (up to a one-time padding known to the verifier). Alice's measurements on these states are used to check Bob's preparation, effectively performing state tomography on the resource states.
• Process tomography. This subprotocol is similar to the state tomography one, except the roles of Alice and Bob are reversed. The verifier instructs Bob to perform the ideal CHSH game measurements. Alice, on the other hand, is instructed to perform Bell basis measurements on pairs of qubits. As in the previous subprotocol, Bob's measurement outcomes are used to tomographically check that Alice is indeed performing the correct measurements.
• Computation. The final subprotocol combines the previous two. Bob is asked to perform the resource preparation measurements, while Alice is asked to perform Bell basis measurements. This effectively makes Alice perform the desired computation through repeated gate teleportation.
An important aspect, in proving the correctness of the protocol, is the local similarity of pairs of subprotocols. For instance, Alice cannot distinguish between the CHSH subprotocol and the state tomography one, or between the process tomography one and computation. This is because, in those situations, she is asked to perform the same operations on her side, while being unaware of what Bob is doing. Moreover, since the verifier can test all but the computation part, if Alice deviates there will be a high probability of her deviation being detected. The same is true for Bob. In this way, the verifier can, essentially, enforce that the two players behave honestly and thus perform the correct quantum computation. Note, that this is not the same as the blindness property, discussed in relation to the previous protocols. The RUV protocol does, however, posses that property as well. This follows from a more involved argument regarding the way in which the computation by teleportation is performed.
It should be noted that there are only two constraints imposed on the provers: that they cannot communicate once the protocol has commenced and that they produce close to quantum optimal winrates for the CHSH games. Importantly, there are no constraints on the quantum systems possessed by the provers, which can be arbitrarily large. Similarly, there are no constraints on what measurements they perform or what strategy they use in order to respond to the verifier. In spite of this, the rigidity result shows that for the provers to produce statistics that are accepted by the verifier, they must behave according to the ideal strategy (up to local isometry). Having the ability to fully characterise the prover's shared state and their strategies in this way is what allows the verifier to check the correctness of the delegated quantum computation. This approach, of giving a full characterisation of the states and observables of the provers, is a powerful technique which is employed by all the other entanglement-based protocols, as we will see.
In terms of practically implementing such a protocol, there are two main considerations: the amount of communication required between the verfier and the provers and the required quantum capabilities of the provers. For the latter, it is easy to see that the RUV protocol requires both provers to be universal quantum computers (i.e. BQP machines), having the ability to store multiple quantum states and perform quantum circuits on these states. In terms of the communication complexity, since the verifier is restricted to BPP, the amount of communication must scale polynomially with the size of the delegated computation. It was computed in [20], that this communication complexity is of the order O(|C| c ), with c > 8192. Without even considering the constant factors involved, this scaling is far too large for any sort of practical implementation in the near future 38 .
There are essentially two reasons for the large exponent in the scaling of the communication complexity. The first, as mentioned by the authors, is that the bounds derived in the rigidity result are not tight and could possibly be improved. The second and, arguably more important reason, stems from the rigidity result itself. In Theorem 8, notice that = poly(δ, 1/n) and → 0 as n → ∞. We also know that the provers need to win a fraction (1 − )cos 2 (π/8) of CHSH games, in order to pass the verifier's checks. Thus, the completeness-soundness gap of the protocol will be determined by . But since, for fixed δ, is essentially inverse polynomial in n, the completeness-soundness gap will also be inverse polynomial in n. Hence, one requires polynomially many repetition in order to boost the gap to constant. We conclude with: Theorem 9. The RUV protocol is an MIP * protocol achieving an inverse polynomial gap between completeness and soundness.
GKW protocol. As mentioned, in the RUV protocol the two quantum provers must be universal quantum computers. One could ask whether this is a necessity or whether there is a way to reduce one of the provers to be non-universal. In a paper by Gheorghiu, Kashefi and Wallden it was shown that the latter option is indeed possible. This leads to a protocol which we shall refer to as the GKW protocol. The protocol is based on the observation that one could use the state tomography subprotocol of RUV in such a way so that one prover is remotely preparing single qubit states for the other prover. The preparing prover would then only be required to perform single qubit measurements and, hence, not need the full capabilities of a universal quantum computer. The specific single qubit states that are chosen, can be the ones used in the VUBQC protocol of Subsection 2.2. This latter prover can then be instructed to perform the VUBQC protocol with these states. Importantly, because the provers are not allowed to communicate, this would preserve the blindness requirement of VUBQC. We will refer to the preparing prover as the sender and the remaining prover as the receiver. Once again, we assume the verifier wishes to delegate to the provers the evaluation of some quantum circuit C.
The protocol, therefore, has a two-step structure: (1) Verified preparation. This part is akin to the state tomography subprotocol of RUV. The verifier is trying to certify the correct preparation of states {|+ θ } θ and |0 , |1 , where θ ∈ {0, π/4, ..., 7π/4}. Recall that these are the states used in VUBQC. We shall refer to them as the resource states. This is done by self-testing a tensor product of Bell pairs and the observables of the two provers using CHSH games and the rigidity result of Theorem 8 39 . As in the RUV protocol, the verifier will play multiple CHSH games with the provers. This time, however, each game will be an extended CHSH game (as defined in [19]) in which the verifier will ask each prover to measure an observable from the set {X, Y, Z, (X ± Z)/ √ 2, (Y ± Z)/ √ 2, (X ± Y)/ √ 2}. Alternatively, this can be viewed as the verifier choosing to play one of 6 possible CHSH games defined by the observables in that set 40 These observables are sufficient for obtaining the desired resource states. In particular, measuring the X, Y, and (X ± Y)/ √ 2 observables on the Bell pairs will collapse the entangled qubits to states of the form {|+ θ } θ , while measuring Z will collapse them to |0 , |1 . The verifier accepts if the provers win a fraction (1 − )cos 2 (π/8) of the CHSH games, where = poly(δ, 1/|C|), and δ > 0 is the desired trace distance between the reduced state on the receiver's side and the ideal state consisting of the required resource states in tensor product, up to a local isometry ( → 0 as δ → 0 or |C| → ∞). The verifier will also instruct the sender prover to perform additional measurements so as to carry out the remote preparation on the receiver's side. This verified preparation is illustrated in Figure 12.
(2) Verified computation. This part involves verifying the actual quantum computation, C. Once the resource states have been prepared on the receiver's side, the verifier will perform the VUBQC protocol with that prover as if she had sent him the resource states. She accepts the outcome of the computation if all trap measurements succeed, as in VUBQC.
(a) Testing preparation (b) Preparing a qubit

Fig. 12: Verified preparation
Note the essential difference, in terms of the provers' requirements, between this protocol and the RUV protocol. In the RUV protocol, both provers had to perform entangling measurements. However, in the GKW protocol, the sender prover is required to only perform single qubit measurements. This means that the sender prover can essentially be viewed as an untrusted measurement device, whereas the receiver is the only universal quantum computer. For this reason, the GKW protocol is also described as a device-independent [72,73] verification protocol. This stems from comparing it to VUBQC or the receiveand-measure protocols, of Section 3, where the verifier had a trusted preparation or measurement device. In this case, the verifier essentially has a measurement device (the sender prover) which is untrusted.
Of course, performing the verified preparation subprotocol and combining it with VUBQC raises some questions. For starters, in the VUBQC protocol, the state sent to the prover is assumed to be an ideal state (i.e. an exact tensor product of states of the form |+ θ or |0 , |1 ). However, in this case 39 In fact, what is used here is a more general version of Theorem 8 involving an extended CHSH game. See the appendix section of [19]. 40 For instance, one game would involve Alice measuring either X or Y, whereas Bob should measure (X + Y)/ √ 2 or (X − Y)/ √ 2. Similar games can be defined by suitably choosing observables from the given set.
the preparation stage is probabilistic in nature and therefore the state of the receiver will be δ-close to the ideal tensor product state, for some δ > 0. How is the completeness-soundness gap of the VUBQC protocol affected by this? Stated differently, is VUBQC robust to deviations in the input state? A second aspect is that, since the resource state is prepared by the untrusted sender, even though it is δ-close to ideal, it can, in principle, be correlated with the receiving prover's system. Do these initial correlations affect the security of the protocol? Both of these issues are addressed in the proofs of the GKW protocol. Firstly, assume that in the VUBQC protocol the prover receives a state which is δ-close to ideal and uncorrelated with his private system. Any action of the prover can, in the most general sense, be modelled as a CPTP map. This CPTP map is of course distance preserving and so the output of this action will be δ-close to the output in the ideal case. It follows from this that the probabilities of the verifier accepting a correct or incorrect result change by at most O(δ). As long as δ > 1/poly(|C|) (for a suitably chosen polynomial), the protocol remains a valid QPIP protocol.
Secondly, assume now that the δ-close resource state is correlated with the prover's private system, in VUBQC. It would seem that the prover could, in principle, exploit this correlation in order to convince the verifier to accept an incorrect outcome. However, it is shown that this is, in fact, not the case, as long as the correlations are small. Mathematically, let ρ V P be the state comprising of the resource state and the prover's private system. In the ideal case, this state should be a product state of the form ρ V ⊗ ρ P , where ρ V = |ψ id ψ id | is the ideal resource state and ρ P the prover's system. However, in the general case the state can be entangled. In spite of this, it is known that: Using a result known as the gentle measurement lemma [19], one can show that this implies: In other words, the joint system of resource states and the prover's private memory is O( √ δ)-close to the ideal system. Once again, as long as δ > 1/poly(|C|) (for a suitably chosen polynomial), the protocol is a valid QPIP protocol.
These two facts essentially show that the GKW protocol is a valid entanglement-based protocol, as long as sufficient tests are performed in the verified preparation stage so that the system of resource states is close to the ideal resource states. As with the RUV protocol, this implies a large communication overhead, with the communication complexity being of the order O(|C| c ), where c > 2048. One therefore has: Theorem 10. The GKW protocol is an MIP * protocol achieving an inverse polynomial gap between completeness and soundness.
Before concluding this section, we describe the steering-based VUBQC protocol that we referenced in Section 3. As mentioned, the GKW protocol can be viewed as a protocol involving a verifier with an untrusted measurement device interacting with a quantum prover. In a subsequent paper, Gheorghiu, Wallden and Kashefi addressed the setting in which the verifier's device becomes trusted [34]. They showed that one can define a self-testing game for Bell states which involves steering correlations [74] as opposed to non-local correlations. Steering correlations arise in a two-player setting in which one of the players is trusted to measure certain observables. This extra piece of information allows for the characterisation of Bell states with comparatively fewer statistics than in the non-local case. The steeringbased VUBQC protocol, therefore, has exactly the same structure as the GKW protocol. First, the verifier uses this steering-based game, between her measurement device and the prover, to certify that the prover prepared a tensor product of Bell pairs. She then measures some of the Bell pairs so as to remotely prepare the resource states of VUBQC on the prover's side and then performs the trap-based verification. As mentioned in Section 3, the protocol has a communication complexity of O(|C| 13 log(|C|)) which is clearly an improvement over O(|C| 2048 ). This improvement stems from the trust added to the measurement device. However, the overhead is still too great for any practical implementation.
HPDF protocol. Independently from the GKW approach, Hajdušek, Pérez-Delgado and Fitzsimons developed a protocol which also combines the CHSH rigidity result with the VUBQC protocol. This protocol, which we refer to as the HPDF protocol has the same structure as GKW in the sense that it is divided into a verified preparation stage and a verified computation stage. The major difference is that the number of non-communicating provers is on the order O(poly(|C|)), where C is the computation that the verifier wishes to delegate. Essentially, there is one prover for each Bell pair that is used in the verified preparation stage. This differs from the previous two approaches in that the verifier knows, a priori, that there is a tensor product structure of states. She then needs to certify that these states are close, in trace distance, to Bell pairs. The advantage of assuming the existence of the tensor product structure, instead of deriving it through the RUV rigidity result, is that the overhead of the protocol is drastically reduced. Specifically, the total number of provers, and hence the total communication complexity of the protocol is of the order O(|C| 4 log(|C|)).
We now state the steps of the HPDF protocol. We will refer to one of the provers as the verifier's untrusted measurement device. This is akin to the sender prover in the GKW protocol. The remaining provers are the ones which will "receive" the states prepared by the verifier and subsequently perform the quantum computation.
(1) Verified preparation. The verifier is trying to certify the correct preparation of the resource states {|+ θ } θ and |0 , |1 , where θ ∈ {0, π/4, ..., 7π/4}. The verifier instructs each prover to prepare a Bell pair and send one half to her untrusted measurement device. For each received state, she will randomly measure one of the following observables {X, Y, Z, Each prover is either instructed to randomly measure an observable from the set {X, Y, Z} or to not perform any measurement at all. The latter case corresponds to the qubits which are prepared for the computation stage. The verifier will compute correlations between the measurement outcomes of her device and the provers and accept if these correlations are above some threshold parametrized by = poly(δ, 1/|C|) ( → 0 as δ → 0 or |C| → ∞), where δ > 0 is the desired trace distance between the reduced state on the receiving provers' sides and the ideal state consisting of the required resource states in tensor product, up to a local isometry.
(2) Verified computation. Assuming the verifier accepted in the previous stage, she instructs the provers that have received the resource states to act as a single prover. The verifier then performs the VUBQC protocol with that prover as if she had sent him the resource states. She accepts the outcome of the computation if all trap measurements succeed, as in VUBQC.
In their paper, Hajdušek et al have proved that the procedure in the verified preparation stage of their protocol constitutes a self-testing procedure for Bell states. This procedure self-tests individual Bell pairs, as opposed to the CHSH rigidity theorem which self-tests a tensor product of Bell pairs. In this case, however, the tensor product structure is already given by having the O(|C| 4 log(|C|)) non-communicating provers. The correctness of the verified computation stage follows from the robustness of the VUBQC protocol, as mentioned in the previous section. One therefore has the following: Theorem 11. The HPDF protocol is an MIP * [poly] protocol achieving an inverse polynomial gap between completeness and soundness.

Verification based on self-testing graph states
We saw, in the HPDF protocol, that having multiple non-communicating provers presents a certain advantage in characterising the shared state of these provers, due to the tensor product structure of the provers' Hilbert spaces. This approach not only leads to simplified proofs, but also to a reduced overhead in characterising this state, when compared to the CHSH rigidity Theorem 8, from [19].
Another approach which takes advantage of this tensor product structure is the one of McKague from [22]. In his protocol, as in HPDF, the verifier will interact with O(poly(|C|)) provers. Specifically, there are multiple groups of O(|C|) provers, each group jointly sharing a graph state |G . In particular, each prover should hold only one qubit from |G . The central idea is for the verifier to instruct the provers to measure their qubits to either test that the provers are sharing the correct graph state or to perform an MBQC computation of C. This approach is similar to the stabilizer measurement-only protocol of Subsection 3.1 and, just like in that protocol or the Test-or-Compute or RUV protocols, the verifier will randomly alternate between tests and computation.
Before giving more details about this verification procedure, we first describe the type of graph state that is used in the protocol and the properties which allow this state to be useful for verification. McKague considers |G to be a triangular graph state, which is a type of universal cluster state. What this means is that the graph G on which the state is based on, is a triangular lattice (a planar graph with triangular faces). An example is shown in Figure 13. For each vertex v in G we have that: , for all vertices v. This is important for the testing part of the protocol as it means that measuring the observable S v will always yield the outcome 1. Another important property is: where τ is a set of 3 neighboring vertices which comprise a triangle in the graph G (and N (τ ) are the neighbors of those vertices). This implies that measuring T τ = X τ Z N (τ ) produces the outcome −1. Triangular graph states are universal for quantum computation, as explained in [22], by performing local measurements (with corrections) on the vertex qubits using the observables R(θ) = cos(θ)X + sin(θ)Z, where θ ∈ {0, π/4, ..., 7π/4}. We now have the necessary elements to describe McKague's protocol. The verifier considers a triangular graph state |G for the computation she wishes to verify. Let n = O(|C|) denote the number of vertices in G. In the ideal case, there will be multiple groups of n provers and, in each group, every prover should have one of the qubits of this graph (entangled with its neighbors). Denote T as the number of triangles (consisting of 3 neighboring vertices) in G and N G = 3n + T . The protocol's setting is shown in Figure 14. The verifier will choose one of the n groups of provers at random to perform the computation C. The computation is performed in an MBQC fashion. In other words, the verifier will pick appropriate measurement angles {θ v } v∈V (G) , for all vertices in G, as well as a partial order for the vertices. To perform the computation C, the verifier instructs the provers to measure the qubits of |G with the observables R(θ v ), defined above. The partial order establishes the temporal ordering of these measurements. Additionally, the θ v angles, for the R(θ v ) measurements, should be updated so as to account for corrections arising from previous measurement outcomes. In other words, the angles {θ v } v∈V (G) , which we shall refer to as computation angles, are the ideal angles assuming no corrections. See Subsection 7.2 for more details about measurement-based quantum computations.
The remaining groups of provers are used to test that the correct graph state, |G , was prepared. This testing phase consists in the verifier randomly choosing to run one of the following sub-protocols: • Vertex test, chosen with probability n N G . The verifier randomly picks a vertex v of the graph. She instructs the prover having the qubit corresponding to v to measure it in the X basis. At the same time, she asks the provers having the neighboring qubits, N (v), to measure them in the Z basis. The ±1 outcomes of the provers are multiplied by the verifier and she checks to see whether this product is 1 (since she is essentially measuring the S v stabilizer). If this is the case, she accepts, otherwise she rejects.
• Triangle test, chosen with probability T N G . Similar to the previous test, the verifier picks a random triangle in G, consisting of the vertices τ . She instructs the provers having these vertices to measure them in the X basis, while their neighbors (N (τ )) are instructed to measure in the Z basis. The verifier checks if the product of their outcomes is −1 and if so, she accepts, otherwise she rejects.
• R(θ) test, chosen with probability 2n N G . In this case the verifier first randomly picks a vertex v of the graph, a neighbor u of v (so u ∈ N (v)) and t in {−1, +1}. She then randomly picks X with probability p = cos(θv) cos(θv)+|sin(θv)| or Z with probability 1 − p, where θ v is the computation angle associated with v. If she chose X, then she queries the prover holding v to measure R(tθ v ), and his neighbors (N (v)) to measure Z. She accepts if the product of their replies is +1. If the verifier instead chose Z, then she instructs the prover holding v to measure tR(tθ v ), the prover holding u to measure X and the neighbors of u and v to measure Z. She accepts if the product of their outcomes is +1.
Together, these three tests are effectively performing a self-test of the graph state |G and the prover's observables. Specifically, McKague showed the following: Theorem 12. For a triangular graph G, having n vertices, suppose that n provers, performing the strategy S = (|ψ , {Õ j i } ij ) succeed in the test described above with probability 1− , where = poly(δ, 1/n) for some δ > 0 and → 0 as δ → 0 or n → ∞. The strategy involves sharing the state |ψ and measuring the observables {Õ j i } ij , where each prover, i, has observables {Õ j i } j . Then there exists a local isometry Φ = n i=1 Φ i and a state |junk such that: and for all j: where for all i, O j i ∈ {R(θ)| θ ∈ {0, π/4, ..., 7π/4}} 41 . Note that the verifier will ask the provers to perform the same types of measurements in both the testing phase and the computation phase of the protocol. This means that, at the level of each prover, the testing and computation phases are indistinguishable. Moreover, the triangular state |G , being a universal cluster state, will be the same for computations of the same size. Therefore, the protocol is blind in the sense that each prover, on its own, is unaware of what computation is being performed. In summary, the protocol consists of the verifier choosing to perform one of the following: • Computation. In this case, the verifier instructs the provers to perform the MBQC computation of C on the graph state |G , as described above.
• Testing |G . In this case, the verifier will randomly choose between one of the three tests described above accepting if an only if the test succeeds.
It is therefore the case that: Theorem 13. McKague's protocol is an MIP * [poly] protocol having an inverse polynomial gap between completeness and soundness.
As with the previous approaches, the reason for the inverse polynomial gap between completeness and soundness is the use of a self-test with robustness = poly(1/n) (and → 0 as n → ∞). In turn, this leads to a polynomial overhead for the protocol as a whole. Specifically, McKague showed that the total number of required provers and communication complexity, for a quantum computation C, is of the order O(|C| 22 ). Note, however, that each of the provers must only perform a single-qubit measurement. Hence, apart from the initial preparation of the graph state |G , the individual provers are not universal quantum computers, merely single-qubit measurement devices.

Post-hoc verification
In Subsection 3.2 we reviewed a protocol by Morimae and Fitzsimons for post-hoc verification of quantum computation. Of course, that protocol involved a single quantum prover and a verifier with a measurement device. In this section, we review two post-hoc protocols for the multi-prover setting having a classical verifier. We start with the first post-hoc protocol by Fitzsimons and Hajdušek.

FH protocol. Similar to the 1S-Post-hoc protocol from Subsection 3.2, the protocol of Fitzsimons and
Hajdušek, which we shall refer to as the FH protocol, also makes use of the local Hamiltonian problem stated in Definition 9. As mentioned, this problem is complete for the class QMA, which consists of problems that can be decided by a BQP verifier receiving a witness state from a prover. Importantly, the size of the witness state is polynomial in the size of the input to the problem. However, Fitzsimons and Vidick proposed a protocol for the k-local Hamiltonian problem (and hence any QMA problem), involving 5 provers, in which the quantum state received by the verifier is of constant size [75]. That protocol is the basis for the FH protocol and so we start with a description of it.
Suppose that the k-local Hamiltonian is of the form H = i H i , acting on a system of n qubits and each H i is a k-local, n-qubit projector. For fixed a and b, such that b − a ≥ 1/poly(n), the verifier should accept if there exists a state |ψ such that ψ| H |ψ ≤ a and reject if for all states |ψ it is the case that ψ| H |ψ ≥ b. Suppose we are in the acceptance case and let |ψ be the witness state. The 5 provers must share a version of |ψ encoded in the 5-qubit error correcting code 42 , denoted |ψ L . Specifically, for each logical qubit of |ψ L , each prover should hold one of its constituent physical qubits. The verifier will then check that the provers are indeed sharing this state, accepting if this is the case and rejecting otherwise. She will also perform an energy measurement on the state, to estimate if it has energy above b or below a. To do this she will, with equal probability, choose to either test that the shared state of the provers has energy below a or that the provers share a state encoded in the 5-qubit code: • Energy measurement. In this case, the verifier will pick a random term H i , from H, and ask each prover for k qubits corresponding to the logical states on which H i acts. The verifier will then perform a two-outcome measurement, defined by the operators {H i , I − H i } on the received qubits. As in the 1S-Post-hoc protocol, this provides an estimate for the energy of |ψ . The verifier accepts if the measurement outcome indicates the state has energy below a.
• Encoding measurement. In this case the verifier will choose at random between two subtests. In the first subtest, she will choose j at random from 1 to n and ask each prover to return the physical qubits comprising the j'th logical qubit. She then measures these qubits to check whether their joint state lies within the code space, accepting if it does and rejecting otherwise. In the second subtest, the verifier chooses a random set, S, of 3 values between 1 and n. She also picks one of the values at random, labelled j. The verifier then asks a randomly chosen prover for the physical qubits of the logical states indexed by the values in S, while asking the remaining provers for their shares of logical qubit j. As an example, if the set contains the values {1, 5, 8}, then the verifier picks one of the 5 provers at random and asks him for his shares (physical qubits) of logical qubits 1, 5 and 8 from |ψ . Assuming that the verifier also picked the random value 8 from the set, then she will ask 42 The 5-qubit code is the smallest error correcting capable of correcting for arbitrary single-qubit errors [76].
the remaining provers for their shares of logical qubit 8. The verifier then measures logical qubit j (or 8, in our example) and checks if it is in the code subspace, accepting if it is and rejecting otherwise. The purpose of this second subtest is to guarantee that the provers respond with different qubits when queried.
One can see that when the witness state exists and the provers follow the protocol, the verifier will indeed accept with high probability. On the other hand, Fitzsimons and Vidick show that when there is no witness state, the provers will fail at convincing the verifier to accept with high probability. This is because they cannot simultaneously provide qubits yielding the correct energy measurements and also have their joint state be in the correct code space. This also illustrates why their protocol required testing both of these conditions. If one wanted to simplify the protocol, so as to have a single prover providing the qubits for the verifier's {H i , I − H i } measurement, then it is no longer possible to prove soundness. The reason is that even if there does not exist a |ψ having energy less than a for H, the prover could still find a group of k qubits which minimize the energy constraint for the specific H i that the verifier wishes to measure. The second subtest prevents this from happening, with high probability, since it forces the provers to consistently provide the requested indexed qubits from the state |ψ .
Note that for a BQP computation, defined by the quantum circuit C and input x, the state |ψ in the Fitzsimons and Vidick protocol becomes the Feynman-Kitaev state of that circuit, as described in Subsection 3.2. The FH protocol essentially takes the Fitzsimons and Vidick protocol for BQP computations and alters it by making the verifier classical. This is achieved using an approach of Ji [77] which allows for the two tests to be performed using only classical interaction with the provers. The idea is based on self-testing and is similar to the rigidity of the CHSH game. To understand this approach let us first examine the stabilizer generators, {g i } 4 i=1 for the code space of the 5-qubit code, shown in Table 3. Notice that they all involve only Pauli X, Z or identity operators. In particular, the operator acting on the fifth qubit is always either X or Z. Ji then considers rotating this operator so that X → X and Table 4.   Table 4: Generators with fifth operator rotated The new operators satisfy a useful property. For any state |φ in the code space of the 5-qubit code, it is the case that: This is similar to the CHSH game. In the CHSH game, the ideal strategy involves Alice measuring either X or Z and Bob measuring either X or Z , respectively, on the maximally entangled state |Φ + . These observables and the Bell state satisfy: It can be shown that having observables which satisfy this relation implies that Alice and Bob win the CHSH game with the (quantum) optimal probability of success cos 2 (π/8). Analogous to the CHSH game, the stabilizers {g i } 4 i=1 , viewed as observables, can be used to define a 5-player non-local game, in which the optimal quantum strategy involves measuring these observables on a state encoded in the 5-qubit code. Moreover, just like in the CHSH game, observing the players achieve the maximum quantum winrate for the game implies that, up to local isometry, the players are following the ideal quantum strategy. We will not detail the game, except to say that it inolves partitioning the 5 provers into two sets, one consisting of four provers and the other with the remaining prover. Such a bipartition of a state encoded in the 5-qubit code yields a state which is isometric to a Bell pair. This means that the 5-player game is essentially self-testing a maximally entangled state, hence the similarity to the CHSH game. This then allows a classical verifier, interacting with the 5 provers, to perform the encoding test of the Fitzsimons and Vidick protocol.
We have discussed how a classical verifier can test that the 5 provers share a state encoded in the logical space of the 5-qubit code. But to achieve the functionality of the Fitzsimons and Vidick protocol, one needs to also delegate to the provers the measurement of a local term H i from the Hamiltonian. This is again possible using the 5-player non-local game. Firstly, it can be shown that, without loss of generality, that each H i , in the k-local Hamiltonian, can be expressed as a linear combination of terms comprised entirely of I, X and Z. This means that the Hamiltonian itself is a linear combination of such terms, H = i a i S i , where a i are real coefficients and S i are k-local XZ-terms. This is akin to the XZ-Hamiltonian from the 1S-Post-hoc protocol.
Given this fact, the verifier can measure one of the S i terms, in order to estimate the energy of the ground state, instead of measuring {H i , I − H i }. She will pick an S i term at random and ask the provers to measure the constituent Pauli observables in S i . However, the verifier will also alternate these measurements with the stabilizer measurements of the non-local game, rejecting if the provers do not achieve the maximal non-local value of the game. This essentially forces the provers to perform the correct measurements. To summarize, the FH protocol is a version of the Fitzsimons and Vidick protocol which restricts the provers to be BQP machines and uses Ji's techniques, based on non-local games, to make the verifier classical. The steps of the FH protocol are as follows: (1) The verifier instructs the provers to share the Feynman-Kitaev state, associated with her circuit C, encoded in the 5-qubit error correcting code, as described above. We denote this state as |ψ L . The provers are then split up and not allowed to communicate. The verifier then considers a klocal Hamiltonian having |ψ L as a ground state as well as the threshold values a and b, with b − a > 1/poly(|C|).
(2) The verifier chooses to either perform the energy measurement or the encoding measurement as described above. For the energy measurement she asks the provers to measure a randomly chosen XZ-term from the local Hamiltonian. The verifier accepts if the outcome indicates that the energy of |ψ L is below a. For the encoding measurement the verifier instructs the provers to perform the measurements of the 5-player non-local game. She accepts if the provers win the game, indicating that their shared state is correctly encoded.
One therefore has: Theorem 14. The FH protocol is an MIP * protocol achieving an inverse polynomial gap between completeness and soundness.
There are two significant differences between this protocol and the previous entanglement-based approaches. The first is that the protocol does not use self-testing to enforce that the provers are performing the correct operations in order to implement the computation C. Instead, the computation is checked indirectly by using the self-testing result to estimate the ground-state energy of the k-local Hamiltonian. This then provides an answer to the considered BQP computation viewed as a decision problem 43 . The second difference is that the protocol is not blind. In all the previous approaches, the provers had to share an entangled state which was independent of the computation, up to a certain size. However, in the FH protocol, the state that the provers need to share depends on which quantum computation the verifier wishes to perform.
In terms of communication complexity, the protocol, as described, would involve only 2 rounds of interaction between the verifier and the provers. However, since the completeness-soundness gap is inverse polynomial, and therefore decreases with the size of the computation, it becomes necessary to repeat the protocol multiple times to properly differentiate between the accepting and rejecting cases. On the one hand, the local Hamiltonian itself has an inverse polynomial gap between the two cases of acceptance and rejection. As shown in [31,65], for the Hamiltonian resulting from a quantum circuit, C, that gap is 1/|C| 2 . To boost this gap to constant, the provers must share O(|C| 2 ) copies of the Feynman-Kitaev state.
On the other hand, the self-testing result has an inverse polynomial robustness. This means that estimating the energy of the ground state is done with a precision which scales inverse polynomially in the number of qubits of the state. More precisely, according to Ji's result, the scaling should be 1/O(N 16 ), where N is the number of qubits on which the Hamiltonian acts [77]. This means that the protocol should be repeated on the order of O(N 16 ) times, in order to boost the completeness-soundness gap to constant.
NV protocol. The second entanglement-based post-hoc protocol was developed by Natarajan and Vidick [24] and we therefore refer to it as the NV protocol. The main ideas of the protocol are similar to those of the FH protocol. However, Natarajan and Vidick prove a self-testing result having constant robustness and use it in order to perform the energy estimation of the ground state for the local Hamiltonian.
The statement of their general self-testing result is too involved to state here, so instead we reproduce a corollary to their result (also from [24]) that is used for the NV protocol. This corollary involves selftesting a tensor product of Bell pairs: Theorem 15. For any integer n there exists a two-player non-local game, known as the Pauli braiding test (P BT ), with O(n)-bit questions and O(1)-bit answers satisfying the following: Let S = (|ψ ,Ã(a),B(b)) be the strategy employed by two players (Alice and Bob) in playing the game, where |ψ is their shared state andÃ(a) andB(b) are their respective (multi-qubit) observables when given n-bit questions a and b, respectively. Suppose Alice and Bob win the Pauli braiding test with probability ω * (P BT ) − , for some > 0 (note that ω * (P BT ) = 1). Then there exist δ = poly( ), a local isometry Φ = Φ A ⊗ Φ B and a state |junk such that: where X(a) = n i=1 X a(i) and This theorem is essentially a self-testing result for a tensor product of Bell states, and Pauli X and Z observables, achieving a constant robustness. The Pauli braiding test is used in the NV protocol in a similar fashion to Ji's result, from the previous subsection, in order to certify that a set of provers are sharing a state that is encoded in a quantum error correcting code. Again, this relies on a bi-partition of the provers into two sets, such that, an encoded state shared across the bi-partition is equivalent to a Bell pair. Let us first explain the general idea of the Pauli braiding test for self-testing n Bell pairs and n-qubit observables. We have a referee that is interacting with two players, labelled Alice and Bob. The test consists of three subtests which are chosen at random by the referee. The subtests are: • Linearity test. In this test, the referee will randomly pick a basis setting, W , from the set {X, Z}. She then randomly chooses two strings a 1 , a 2 ∈ {0, 1} n and sends them to Alice. With equal probability, the referee takes b 1 to be either a 1 , a 2 or a 1 ⊕ a 2 . She also randomly chooses a string b 2 ∈ {0, 1} n and sends the pair (b 1 , b 2 ) to Bob 44 . Alice and Bob are then asked to measure the observables W (a 1 ), W (a 2 ) and W (b 1 ), W (b 2 ), respectively, on their shared state. We denote Alice's outcomes as a 1 , a 2 and Bob's outcomes as b 1 , b 2 . If b 1 = a 1 (or b 1 = a 2 , respectively), the referee checks that b 1 = a 1 (or b 1 = a 2 , respectively). If b 1 = a 1 ⊕ a 2 , she checks that b 1 = a 1 a 2 . This test is checking, on the one hand, that when Alice and Bob measure the same observables, they should get the same outcome (which is what should happen if they share Bell states). On the other hand, and more importantly, it is checking the commutation and linearity of their operators, i.e. that W (a 1 )W (a 2 ) = W (a 2 )W (a 1 ) = W (a 1 + a 2 ) (and similarly for Bob's operators).
• Anticommutation test. The referee randomly chooses two strings x, z ∈ {0, 1} n , such that x · z = 1 mod 2, and sends them to both players. These strings define the observables X(x) and Z(z) which are anticommuting because of the imposed condition on x and z. The referee then engages in a non-local game with Alice and Bob designed to test the anticommutation of these observables for both of their systems. This can be any game that tests this property, such as the CHSH game or the magic square game, described in [78,79]. As an example, if the referee chooses to play the CHSH game, then Alice will be instructed to measure either X(x) or Z(z) on her half of the shared state, while Bob would be instructed to measure either (X(x) + Z(z))/ √ 2 or (X(x) − Z(z))/ √ 2. The test is passed if the players achieve the win condition of the chosen anticommutation game. Note that for the case of the magic square game, the condition can be achieved with probability 1 when the players implement the optimal quantum strategy. For this reason, if the chosen game is the magic square game, then ω * (P BT ) = 1.
• Consistency test. This test combines the previous two. The referee randomly chooses a basis setting, W ∈ {X, Z} and two strings x, z ∈ {0, 1} n . Additionally, let w = x, if W = X and w = z if W = Z. The referee sends W , x and z to Alice. With equal probability the referee will then choose to perform one of two subtests. In the first subtest, the referee sends x, z to Bob as well and plays the anticommutation game with both, such that Alice's observable is W (w). As an example, if W = X and the game is the CHSH game, then Alice would be instructed to measure X(x), while Bob is instructed to measure either (X(x) + Z(z))/ √ 2 or (X(x) − Z(z))/ √ 2. This subtest essentially mimics the anticommutation test and is passed if the players achieve the win condition of the game. In the second subtest, which mimics the linearity test, the referee sends W , w and a random string y ∈ {0, 1} n to Bob, instructing him to measure W (w) and W (y). Alice is instructed to measure W (x) and W (z). The test if passed if Alice and Bob obtain the same result for the W (w) observable. For instance, if W = X, then both Alice and Bob will measure X(x) and their outcomes for that measurement must agree.
Having observables that satisfy the linearity conditions of the test as well as the anticommutation condition implies that they are isometric to the actual X and Z observables acting on a maximally entangled state. This is what the Pauli braiding test checks and what is proven by the self-testing result of Natarajan and Vidick.
We can now describe the NV protocol. Similar to the FH protocol, for a quantum circuit, C, and an input, x, one considers the associated Feynman-Kitaev state, denoted |ψ . This is then used to construct a 2-local XZ-Hamiltonian such that the ground state of this Hamiltonian is |ψ . As before, for some a and b, with b − a > 1/poly(|C|), when C accepts x we have that ψ| H |ψ < a, otherwise ψ| H |ψ > b. The verifier will instruct 7 provers to share a copy of |ψ state, encoded in a 7-qubit quantum error correcting code known as Steane's code. The provers are then asked to perform measurements so as to self-test an encoded state or perform an energy measurement on this state. The code space, for Steane's code, is the 7-qubit subspace stabilized by all operators generated by {g i } 6 i=1 , where the generators are listed in Table 5.  Table 5: Generators for Steane's 7-qubit code The reason Natarajan and Vidick use this specific error correcting code is because it has two properties that are necessary for the application of their self-testing result. The first property is that each stabilizer generator is a tensor product of only the I, X and Z operators. This, of course, is true for the 5-qubit code as well. The second property is a symmetry condition: for each index i ∈ {1, ..., 6}, there exists a pair of stabilizer generators, S X and S Z , such that S X consists exclusively of I and X operators and has an X on position i, whereas S Z is identical to S X but with all X operators replaced with Z. This property is not satisfied by the 5-qubit code and will allow the verifier to delegate to the provers measurements of the form X(x) and Z(z), where x and z are binary strings, as in the Pauli braiding test.
Putting everything together, the protocol works as follows. The verifier instructs the 7 provers to share an encoded instance of the Feynman-Kitaev state, |ψ L , such that, for each logical qubit in |ψ L , each prover will hold one of 7 the constituent physical qubits. She then chooses at random to perform one of the following: • Pauli braiding test. The verifier chooses one of the 7 provers at random to be Alice, while the remaining provers will take on the role of Bob. The verifier then performs the Pauli braiding test with Alice and Bob in order to self-test the logical qubits in |ψ L . As mentioned, each logical qubit, encoded in the 7 qubit code, is equivalent to a Bell pair under the chosen bi-partition. The Pauli braiding test is essentially checking that the provers have correctly encoded each of the qubits in |ψ and that they are correctly measuring X and Z observables. The verifier rejects if the provers do not pass the test.
• Energy test. In this case, the verifier will pick an XZ-term, S, from H, at random, and instruct the provers to measure this term on their shared state. Note that S consists of logical X and Z operators. This means that each prover will need to perform local measurements so that their joint measurement acts as either X L or Z L , respectively. Additionally, X L and Z L , for the 7 qubit code, are expressed as tensor products of physical X and Z operations. This means that each prover will be instructed to measure an operators of the form X(x) and Z(z), on its physical qubits, where x, z ∈ {0, 1} N , and N is the total number of logical qubits on which H acts. The product X(x)Z(z) is the outcome for that prover's share of S. The verifier then takes all of these ±1 outcomes and multiplies them together, thus obtaining the outcome of measuring S itself. She accepts if the outcome of the measurement indicates that the estimated energy of |ψ is below a and rejects otherwise.
• Energy consistency test. This test is a combination of the previous two. As in the Pauli braiding test, the provers are bi-partitioned into two sets, one consisting of one prover, denoted Alice, and the other consisting of the other 6 provers, jointly denoted as Bob. The verifier now performs a test akin to the linearity test from Pauli braiding. She randomly chooses W ∈ {X, Z}, and let w = x, if W = X and w = z if W = Z. She also chooses x, z ∈ {0, 1} N according to the same distribution as in the energy test (i.e. as if she were instructing the provers to measure a random XZ-term from H).
The verifier then does one of the following: • With probability 1/2, instructs Alice to measure the observables X(x) and Z(z). Additionally, the verifier chooses y ∈ {0, 1} N at random and instructs Bob to measure W (y) and W (y ⊕ w).
If W = X, the verifier accepts if the product of Bob's answers agrees with Alice's answer for the X(x) observable. If W = Z, the verifier accepts if the product of Bob's answers agrees with Alice's answer for the Z(z) observable. Note that this is the case since the product of Bob's observables should be W (w) if he is behaving honestly.
• With probability 1/4, instructs Alice to measure W (y) and W (v), where y, w ∈ {0, 1} N are chosen at random. Bob is instructed to measure W (y) and W (y ⊕ w). The verifier accepts if the outcomes of Alice and Bob for W (y) agree.
• With probability 1/4, instructs Alice to measure W (y ⊕ w) and W (v), where y, w ∈ {0, 1} N are chosen at random. Bob is instructed to measure W (y) and W (y ⊕ w). The verifier accepts if the outcomes of Alice and Bob for W (y ⊕ w) agree.
The self-testing result guarantees that if these tests succeed, the verifier obtains an estimate for the energy of the ground state. Importantly, unlike the FH protocol, her estimate has constant precision. However, the protocol, as described up to this point, will still have an inverse polynomial completenesssoundness gap given by the local Hamiltonian. Recall that this is because the Feynman-Kitaev state will have energy below a when C accepts x with high probability, and energy above b otherwise, where b − a > 1/|C| 2 . But one can easily boost the protocol to a constant gap between completeness and soundness by simply requiring the provers to share M = O(|C| 2 ) copies of the ground state. This new state, |ψ ⊗M , would then be the ground state of a new Hamiltonian H 45 . One then runs the NV protocol for this Hamiltonian. It should be mentioned that this Hamiltonian is no longer 2-local, however, all of the tests in the NV protocol apply for these general Hamiltonians as well (as long as each term is comprised of I, X and Z operators, which is the case for H ). Additionally, the new Hamiltonian has a constant gap. The protocol therefore achieves a constant number of rounds of interaction with the provers (2 rounds) and we have that: Theorem 16. The NV protocol is an MIP * protocol achieving a constant gap between completeness and soundness.
To then boost the completeness-soundness gap to 1 − , for some > 0, one can perform a parallel repetition of the protocol O(log(1/ )) times.

Summary of entanglement-based protocols
We have seen that having non-communicating provers sharing entangled states allows for verification protocols with a classical client. What all of these protocols have in common is that they all make use of self-testing results. These essentially state that if a number of non-communicating players achieve a near optimal win rate in a non-local game, the strategy they employ in the game is essentially fixed, up to a local isometry. The strategy of the players consists of their shared quantum state as well as their local observables. Hence, self-testing results provide a precise characterisation for both. This fact is exploited by the surveyed protocols in order to achieve verifiability. Specifically, we have seen that one approach is to define a number of non-local games so that by combining the optimal strategies of these games, the provers effectively perform a universal quantum computation. This is the approach employed by the RUV protocol [19]. Alternatively, the self-testing result can be used to check only for the correct preparation of a specific resource state. This resource state is then used by the provers to perform a quantum computation. How this is done depends on the type of resource state and on how the computation is delegated to the provers. For instance, one possibility is to remotely prepare the resource state used in the VUBQC protocol and then run the verification procedure of that protocol. This is the approach used by the GKW and HPDF protocols [20,21]. Another possibility is to prepare a cluster state shared among many provers and then have each of those provers measure their states so as to perform an MBQC computation. This approach was used by McKague in his protocol [22]. Lastly, the self-tested resource state can be the ground state of a local Hamiltonian leading to the post-hoc approaches employed by the FH and NV protocols.
We noticed that, depending on the approach that is used, there will be different requirements for the quantum operations of the provers. Of course, all protocols require that collectively the provers can perform BQP computations, however, individually some provers need not be universal quantum computers. Related to this is the issue of blindness. Again, based on what approach is used some protocols utilize blindness and some do not. In particular, the post-hoc protocols are not blind since the computation and the input are revealed to the provers so that they can prepare the Feynman-Kitaev state. 45 Note that the state still needs to be encoded in the 7 qubit code.

Protocol Provers
Qmem provers Rounds Communication Blind Table 6: Comparison of entanglement-based protocols. We denote N = |C| to be the size of the delegated quantum computation together with the input to that computation. The listed values are given assuming a completeness-soundness gap of at least 1 − , for some > 0. For the "Qmem provers" column, the numbers indicate how many provers need to have a quantum memory that is not of constant size, with respect to |C| (if we ignore the preparation of the initial shared entangled state). The "Rounds" column quantifies how many rounds of interaction are performed between the verifier and the provers, whereas "Communication" quantifies the total amount of communication (number of rounds times the size of the messages). Note that a similar table can be found in [25].
We have also seen that the robustness of the self-testing game impacts the communication complexity of the protocol. Specifically, having robustness which is inverse polynomial in the number of qubits of the self-tested state, leads to an inverse polynomial gap between completeness and soundness. In order to make this gap constant, the communication complexity of the protocol has to be made polynomial. This means that most protocols will have a relatively large overhead, when compared to prepare-and-send or receive-and-measure protocols. Out of the surveyed protocols, the NV protocol is the only one which utilizes a self-testing result with constant robustness and therefore has a constant completeness-soundness gap. We summarize all of these facts in Table 6 46 .

Sub-universal protocols
So far we have presented protocols for the verification of universal quantum computations, i.e. protocols in which the provers are assumed to be BQP machines. In the near future, however, quantum computers might be more limited in terms of the type of computations that they can perform. Examples of this include the class of so-called instantaneous quantum computations, denoted IQP, boson sampling or the one-pure qubit model of quantum computation [1,2,80]. While not universal, these examples are still highly relevant since, assuming some plausible complexity theoretic conjectures hold, they could solve certain problems or sample from certain distributions that are intractable for classical computers. One is therefore faced with the question of how to verify the correctness of outcomes resulting from these models. In particular, when considering an interactive protocol, the prover should be restricted to the corresponding sub-universal class of problems and yet still be able to prove statements to a computationally limited verifier. We will see that many of the considered approaches are adapted versions of the VUBQC protocol from Subsection 2.2. It should be noted, however, that the protocols themselves are not direct applications of VUBQC. In each instance, the protocol was constructed so as to adhere to the constraints of the model.
The first sub-universal verification protocol is for the one-pure (or one-clean) qubit model. A machine of this type takes as input a state of limited purity (for instance, a system comprising of the totally mixed state and a small number of single qubit pure states), and is able to coherently apply quantum gates. The model was considered in order to reflect the state of a quantum computer with noisy storage. In [81], Kapourniotis, Kashefi and Datta introduced a verification protocol for this model by adapting VUBQC to the one-pure qubit setting. The verifier still prepares individual pure qubits, as in the original VUBQC protocol, however the prover holds a mixed state of limited purity at all times 47 . Additionally, the prover 46 Note that for the HPDF protocol we assumed that there is one prover with quantum memory, comprised of the individual provers that come together in order to perform the MBQC computation at the end of the protocol. Since, to achieve a completeness-soundness gap of 1 − . the protocol is repeated O(log(1/ )) times, this means there will be O(log(1/ )) provers with quantum memory in total. 47 The purity of a d-qubit state, ρ, is quantified by the purity parameter defined in [81] as: π(ρ) = log(T r(ρ 2 )) + d.
can inject or remove pure qubits from his state, during the computation, as long as it does not increase the total purity of the state. The resulting protocol has an inverse polynomial completeness-soundness gap. However, unlike the universal protocols we have reviewed, the constraints on the prover's state do not allow for the protocol to be repeated. This means that the completeness-soundness gap cannot be boosted through repetition.
Another model, for which verification protocols have been proposed, is that of instantaneous quantum computations, or IQP [2,82]. An IQP machine is one which can only perform unitary operations that are diagonal in the X basis and therefore commute with each other. The name "instantaneous quantum computation" illustrates that there is no temporal structure to the quantum dynamics [2]. Additionally, the machine is restricted to measurements in the computational basis. It is important to mention that IQP does not represent a decision class, like BQP, but rather a sampling class. The input to a sampling problem is a specification of a certain probability distribution and the output is a sample from that distribution. The class IQP, therefore, contains all distributions which can be sampled efficiently (in polynomial time) by a machine operating as described above. Under plausible complexity theoretic assumptions, it was shown that this class is not contained in the set of distributions which can be efficiently sampled by a classical computer [82].
In [2], Shepherd and Bremner proposed a hypothesis test in which a classical verifier is able to check that the prover is sampling from an IQP distribution. The verifier cannot, however, check that the prover sampled from the correct distributions. Nevertheless, the protocol serves as a practical tool for demonstrating a quantum computational advantage. The test itself involves an encoding, or obfuscation scheme which relies on a computational assumption (i.e. it assumes that a particular problem is intractable for IQP machines).
Another test of IQP problems is provided by the Hangleiter et al approach, from Subsection 3.2 [31]. Recall that this was essentially the 1S-Post-hoc protocol for certifying the ground state of a local Hamiltonian. Hangleiter et al have the prover prepare multiple copies of a state which is the Feynman-Kitaev state of an IQP circuit. They then use the post-hoc protocol to certify that the prover prepared the correct state (measuring local terms from the Hamiltonian associated with that state) and then use one copy to sample from the output of the IQP circuit. This is akin to the measurement-only approach of Subsection 3.1. In a subsequent paper, by Bermejo-Vega et al, they consider a subclass of sampling problems that are contained in IQP and prove that this class is also hard to classically simulate (subject to standard complexity theory assumptions). The problems can be viewed as preparing a certain entangled state and then measuring all qubits in a fixed basis. The authors provide a way to certify that the state prepared is close to the ideal one, by giving an upper bound on the trace distance. Moreover, the measurements required for this state certification can be made using local stabilizer measurements, for the considered architectures and settings [5].
Recently, another scheme has been proposed, by Mills et al [83], which again adapts the VUBQC protocol to the IQP setting. This eliminates the need for computational assumptions, however it also requires the verifier to have a single qubit preparation device. In contrast to VUBQC, however, the verifier need only prepare eigenstates of the Y and Z operators.
Yet another scheme derived from VUBQC was introduced in [84] for a model known as the Ising spin sampler. This is based on the Ising model, which describes a lattice of interacting spins in the presence of a magnetic field [85]. The Ising spin sampler is a translation invariant Ising model in which one measures the spins thus obtaining samples from the partition function of the model. Just like with IQP, it was shown in [86] that, based on complexity theoretic assumptions, sampling from the partition function is intractable for classical computers.
Lastly, Disilvestro and Markham proposed a verification protocol [87] for Spekkens' toy model [88]. This is a local hidden variable theory which is phenomenologically very similar to quantum mechanics, though it cannot produce non-local correlations. The existence of the protocol, again inspired by VUBQC, suggests that Bell non-locality is not a necessary feature for verification protocols, at least in the setting in which the verifier has a trusted quantum device.

Fault tolerance
The protocols reviewed in this paper have all been described in an ideal setting in which all quantum devices work perfectly and any deviation from the ideal behaviour is the result of malicious provers. This is not, however, the case in the real world. The primary obstacle, in the development of scalable quantum computers, is noise which affects quantum operations and quantum storage devices. As a solution to this problem, a number of fault tolerant techniques, utilizing quantum error detection and correction, have been proposed. Their purpose is to reduce the likelihood of the quantum computation being corrupted by imperfect gate operations. But while these techniques have proven successful in minimizing errors in quantum computations, it is not trivial to achieve the same effect for verification protocols. To clarify, while we have seen the use of quantum error correcting codes in verification protocols, their purpose was to either boost the completeness-soundness gap (in the case of prepare-and-send protocols), or to ensure an honest behaviour from the provers (in the case of entanglement-based post-hoc protocols). The question we ask, therefore, is: how can one design a fault-tolerant verification protocol? Note that this question pertains primarily to protocols in which the verifier is not entirely classical (such as the prepare-and-send or receive-and-measure approaches) or in which one or more provers are assumed to be single-qubit devices (such as the GKW and HPDF protocols). For the remaining entanglement-based protocols, one can simply assume that the provers are performing all of their operations on top of a quantum error correcting code.
Let us consider what happens if, in the prepare-and-send and receive-and-measure protocols, the devices of the verifier and the prover are subject to noise 48 . If, for simplicity, we assume that the errors on these devices imply that each qubit will have a probability, p, of producing the same outcome as in the ideal setting, when measured, we immediately notice that the probability of n qubits producing the same outcomes scales as O(p n ). This means that, even if the prover behaves honestly, the computation is very unlikely to result in the correct outcome [20].
Ideally, one would like the prover to perform his operations in a fault tolerant manner. In other words, the prover's state should be encoded in a quantum error correcting code, the gates he performs should result in logical operations being applied on his state and he should, additionally, perform errordetection (syndrome) measurements and corrections. But we can see that this is problematic to achieve. Firstly, in prepare-and-send protocols, the computation state of the prover is provided by the verifier. Who should then encode this state in the error-correcting code, the verifier or the prover? It is known that in order to suppress errors in a quantum circuit, C, each qubit should be encoded in a logical state having O(polylog(|C|)-many qubits [89]. This means that if the encoding is performed by the verifier, she must have a quantum computer whose size scales poly-logarithmically with the size of the circuit that she would like to delegate. It is preferable, however, that the verifier has a constant-size quantum computer. Conversely, even if the prover performs the encoding, there is another complication. Since the verifier needs to encrypt the states she sends to the prover, and since her operations are susceptible to noise, the errors acting on these states will have a dependency on her secret parameters. This means that when the prover performs error-detection procedures he could learn information about these secret parameters and compromise the protocol.
For receive-and-measure protocols, one encounters a different obstacle. While the verifier's measurement device is not actively malicious, if the errors occurring in this device are correlated with the prover's operations in preparing the state, this can compromise the correctness of the protocol.
A number of fault tolerant verification protocols have been proposed, however, they all overcome these limitations by making additional assumptions. For instance, one proposal, by Kapourniotis and Datta [84], for making VUBQC fault tolerant, uses a topological error-correcting code described in [57,58]. The error-correcting code is specifically designed for performing fault tolerant MBQC computations, which is why it is suitable for the VUBQC protocol. In the proposed scheme, the verifier still prepares single qubit states, however there is an implicit assumption that the errors on these states are independent of the verifier's secret parameters. The prover is then instructed to perform a blind MBQC computation in the topological code. The protocol described in [84] is used for a specific type of MBQC computation designed to demonstrate a quantum computational advantage. However, the authors argue that the techniques are general and could be applied for universal quantum computations.
A fault-tolerant version of the measurement-only protocol from Subsection 3.1 has also been proposed in [91]. The graph state prepared by the prover is encoded in an error-correcting code, such as the topological lattice used by the previous approaches. As in the 'non-fault-tolerant' version of the protocol, the prover is instructed to send many copies of this state which the verifier will test using stabilizer measurements. The verifier also uses one copy in order to perform her computation in an MBQC fashion. The protocol assumes that the errors occurring on the verifier's measurement device are independent of the errors occurring on the prover's devices.
More details, regarding the difficulties with achieving fault tolerance in QPIP protocols, can be found in [27].

Experiments and implementations
Protocols for verification will clearly be useful for benchmarking experiments implementing quantum computations. Experiments implementing quantum computations on a small number of qubits can be verified with brute force simulation on a classical computer. However, as we have pointed out that this is not scalable, in the long-term it is worthwhile to try and implement verification protocols on these devices. As a result, there have been proof of concept experiments that demonstrate the components necessary for verifiable quantum computing.
Inspired by the prepare-and-send VUBQC protocol, Barz et al implemented a four-photon linear optical experiment, where the four-qubit linear cluster state was constructed from entangled pairs of photons produced through parametric down-conversion [92]. Within this cluster state, in runs of the experiment, a trap qubit was placed in one of two possible locations, thus demonstrating some of the elements of the VUBQC protocol. However, it should be noted that the trap qubits are placed in the system through measurements on non-trap qubits within the cluster state, i.e. through measurements made on the the other three qubits. Because of this, the analysis of the VUBQC protocol cannot be directly translated over to this setting, and bespoke analysis of possible deviations is required. In addition, the presence of entanglement between the photons was demonstrated through Bell tests that are performed blindly. This work also builds on a previous experimental implementation of blind quantum computation by Barz et al [93].
With regards to receive-and-measure protocols, and in particular the measurement-only protocol of Subsection 3.1, Greganti et al implemented [94] some of the elements of these protocols with a fourphoton experiment, similar to the experiment of Barz et al mentioned above [92]. This demonstration builds on previous work in the experimental characterisation of stabiliser states [95]. In this case, two four-qubit cluster states were generated: the linear cluster state and the star graph state, where in the latter case the only entanglement is between one central qubit and pairwise with every other qubit. In order to demonstrate the elements for measurement-only verification, by suitable measurements made by the client, traps can be placed in the state. Furthermore, the linear cluster state and star graph state can be used as computational resources for implementing single qubit unitaries and an entangling gate respectively.
Finally, preliminary steps have been taken towards an experimental implementation of the RUV protocol, from Subsection 4.1. Huang et al implemented a simplified version of this protocol using sources of pairs of entangled photons [71]. Repeated CHSH tests were performed on thousands of pairs of photons demonstrating a large violation of the CHSH inequality; a vital ingredient in the protocol of RUV. In between the many rounds of CHSH tests, state tomography, process tomography, and a computation were performed, with the latter being the factorisation of the number 15. Again, all of these elements are ingredients in the protocol, however, the entangled photons are created on-the-fly. In other words, in RUV, two non-communicating provers share a large number of maximally entangled states prior to the full protocol, but in this experiment these states are generated throughout.

Conclusions
The realization of the first quantum computers capable of outperforming classical computers at nontrivial tasks is fast approaching. All signs indicate that their development will follow a similar trajectory to that of classical computers. In other words, the first generation of quantum computers will comprise of large servers that are maintained and operated by specialists working either in academia, industry or a combination of both. However, unlike with the first super-computers, the Internet opens up the possibility for users, all around the world, to interface with these devices and delegate problems to them. This has already been the case with the 5-qubit IBM machine [96], and more powerful machines are soon to follow [97,98]. But how will these computationally restricted users be able to verify the results produced by the quantum servers? That is what the field of quantum verification aims to answer. Moreover, as mentioned before and as is outlined in [12], the field also aims to answer the more foundational question of: how do we verify the predictions of quantum mechanics in the large complexity regime?
In this paper, we have reviewed a number of protocols that address these questions. While none of them achieve the ultimate goal of the field, which is to have a classical client verify the computation performed by a single quantum server, each protocol provides a unique approach for performing verification and has its own advantages and disadvantages. We have seen that these protocols combine elements from a multitude of areas including: cryptography, complexity theory, error correction and the theory of quantum correlations. We have also seen that proof-of-concept experiments, for some of these protocols, have already been realized.
What all of the surveyed approaches have in common, is that none of them are based on computational assumptions. In other words, they all perform verification unconditionally. However, recently, there have been attempts to reduce the verifier's requirements by incorporating computational assumptions as well. What this means is that the protocols operate under the assumption that certain problems are intractable for quantum computers. We have already mentioned an example: a protocol for verifying the sub-universal sampling class of IQP computations, in which the verifier is entirely classical. Other examples include protocols for quantum fully homomorphic encryption [99,100]. In these protocols, a client is delegating a quantum computation to a server while trying to keep the input to the computation hidden. The use of computational assumptions allows these protocols to achieve this functionality using only one round of back-and-forth communication. However, in the referenced schemes, the client does require some minimal quantum capabilities. A recent modification of these schemes has been proposed in order to make the protocols verifiable as well [101]. Additionally, an even more recent paper introduces a protocol for quantum fully homomorphic encryption with an entirely classical client (again, based on computational assumptions) [102]. We can therefore see a new direction emerging in the field of delegated quantum computations. This recent success in developing protocols based on computational assumptions could very well lead to the first single-prover verification protocol with a classical client.
Another new direction, especially pertaining to entanglement-based protocols, is given by the development of self-testing results achieving constant robustness. This started with the work of Natarajan and Vidick, which was the basis of their protocol from Subsection 4.3 [24]. We saw, in Section 4, that all entanglement-based protocols rely, one way or another, on self-testing results. Consequently, the robustness of these results greatly impacts the communication complexity and overhead of these protocols. Since most protocols were based on results having inverse polynomial robustness, this led to prohibitively large requirements in terms of quantum resources (see Table 6). However, subsequent work by Coladangelo et al, following up on the Natarajan and Vidick result, has led to two entanglement-based protocols, which achieve near linear overhead [25] 49 . This is a direct consequence of using a self-testing result with constant robustness and combining it with the Test-or-Compute protocol of Broadbent from Subsection 2.3. Of course, of the two protocols proposed by Coladangelo et al, only one is blind and so an open problem, of their result, is whether the second protocol can also be made blind. Another question is whether the protocols can be further optimized so that only one prover is required to perform universal quantum computations, in the spirit of the GKW protocol from Subsection 4.1.
We conclude by listing a number of other open problems that have been raised by the field of quantum verification. The resolution of these problems is relevant not just to quantum verification but to quantum information theory as a whole.
• While the problem of a classical verifier delegating computations to a single prover is the main open problem of the field, we emphasize a more particular instance of this problem: can the proof that any problem in PSPACE 50 admits an interactive proof system, be adapted to show that any problem in BQP admits an interactive proof system with a BQP prover? The proof that PSPACE = IP (in particular the PSPACE ⊆ IP direction) uses error-correcting properties of low-degree polynomials to give a verification protocol for a PSPACE-complete problem [103]. We have seen that the Poly-QAS VQC scheme, presented in Subsection 2.1, also makes use of error-correcting properties of low-degree polynomials in order to perform quantum verification (albeit, with a quantum error correcting code and a quantum verifier). Can these ideas lead to a classical verifier protocol for BQP problems with a BQP prover?
• In all existing entanglement-based protocols, one assumes that the provers are not allowed to communicate during the protocol. However, this assumption is not enforced by physical constraints. Is it, therefore, possible to have an entanglement-based verification protocol in which the provers are space-like separated 51 ? Note, that since all existing protocols require the verifier to query the two (or more) provers adaptively, it is not directly possible to make the provers be space-like separated.
• What is the optimal overhead (in terms of either communication complexity, or the resources of the verifier) in verification protocols? For all types of verification protocols we have seen that, for a fixed completeness-soundness gap, the best achieved communication complexity is linear. For the prepare-and-send case is it possible to have a protocol in which the verifier need only prepare a polylogarithmic number of single qubits (in the size of the computation)? For the entanglement-based case, can the classical verifier send only poly-logarithmic sized questions to the provers? This latter question is related to the quantum PCP conjecture [104].
• Are there other models of quantum computation that are suitable for developing verification protocols? We have seen that the way in which we view quantum computations has a large impact on how we design verification protocols and what characteristics those protocols will have. Specifically, the separation between classical control and quantum resources in MBQC lead to VUBQC, or the QMA-completeness of the local Hamiltonian problem lead to the post-hoc approaches. Of course, all universal models are equivalent in terms of the computations which can be performed, however each model provides a particular insight into quantum computation which can prove useful when devising new protocols. Can other models of quantum computation, such as the adiabatic model, the anyon model etc, provide new insights?
• We have seen that while certain verification protocols employ error-correcting codes, these are primarily used for boosting the completeness-soundness gap. Alternatively, for the protocols that do in fact incorporate fault tolerance, in order to cope with noisy operations, there are additional assumptions such as the noise in the verifier's device being uncorrelated with the noise in the prover's devices. Therefore, the question is: can one have a fault tolerant verification protocol, with a minimal quantum verifier, in the most general setting possible? By this we mean that there are no restrictions on the noise affecting the quantum devices in the protocol, other than those resulting from the standard assumptions of fault tolerant quantum computations (constant noise rate, local errors etc). This question is addressed in more detail in [27]. Note that the question refers in particular to prepare-and-send and receive-and-measure protocols, since entanglement-based approaches are implicitly fault tolerant (one can assume that the provers are performing the computations on top of error correcting codes).
denotes the basis vectors as |0 and |1 . Gluing together systems to express the states of multiple qubits is achieved through tensor product, denoted ⊗. The notation |ψ ⊗n denotes a state comprising of n copies of |ψ . If a state |ψ ∈ H 1 ⊗ H 2 cannot be expressed as |a ⊗ |b , for any |a ∈ H 1 and any |b ∈ H 2 , we say that the state is entangled. As a shorthand, we will sometimes write |a |b instead of |a ⊗ |b . As a simple example of an entangled state one can consider the Bell state: Quantum mechanics postulates that there are two ways to change a quantum state: unitary evolution and measurement. Unitary evolution involves acting with some unitary operation U on |ψ , thus producing the mapping |ψ → U |ψ . Note that any such operation is reversible through the application of the hermitian conjugate of U , denoted U † , since U U † = U † U = I.
Measurement, in its most basic form, involves expressing a state |ψ in a particular orthonormal basis, B, and then choosing one of the basis vectors as the state of the system post-measurement. The index of that vector is the classical outcome of the measurement. The post-measurement vector is chosen at random and the probability of obtaining a vector |v ∈ B is given by | v|ψ | 2 .
More generally, a measurement involves a collection of operators {M i } i acting on the state space of the system to be measured and satisfying: The label i indicates a potential measurement outcome. Given a state |ψ to be measured, the probability of obtaining outcome i is p(i) = ψ| M † i M i |ψ and the state of the system after the measurement will be M i |ψ / p(i). If we are only interested in the probabilities of the different outcomes and not in the post-measurement state then we can denote E i = M i M † i and we will refer to the set {E i } i as a positive-operator valued measure (POVM). When performing a measurement in a basis B = {|i } i , we are essentially choosing M i = |i i|. This is known as a projective measurement and in general consists of operators M i satisfying the property that M 2 i = M i . Lastly, when discussing measurements we will sometimes use observables. These are hermitian operators which define a measurement specified by the diagonal basis of the operator. Specifically, for some hermitian operator O, we know that there exists a basis B = {|i } i such that: where {λ i } i is the set of eigenvalues of O. Measuring the O observable on some state |ψ is equivalent to performing a projective measurement of |ψ in the basis B 52 . When using observables, one takes the measurement outcomes to be the eigenvalues of O, rather than the basis labels. In other words, if when measuring O the state is projected to |i , then the measurement outcome is taken to be λ i .
Density matrices. States denoted by kets are also referred to as pure states. Quantum mechanics tells us that for an isolated quantum system the complete description of that system is given by a pure state 53 . This is akin to classical physics where pure states are points in phase space, which provide a complete characterisation of a classical system. However, unlike classical physics where knowing the pure state uniquely determines the outcomes of all possible measurements of the system, in quantum mechanics measurements are probabilistic even given the pure state. It is also possible that the state of a quantum system is specified by a probability distribution over pure states. This is known as a mixed state and can be represented using density matrices. These are positive semidefinite, trace one, hermitian operators. The density matrix of a pure state |ψ is ρ = |ψ ψ|. For an ensemble of states {|ψ i } i , each occurring with probability p i , such that i p i = 1, the corresponding density matrix is: 52 Note that if the operator is degenerate (i.e. has repeating eigenvalues) then the projectors for degenerate eigenvalues will correspond to projectors on the subspaces spanned by the associated eigenvectors. 53 It should be noted that this is the case provided that quantum mechanics is a complete theory in terms of its characterisation of physical systems. See [107] for more details.
It can be shown that if ρ corresponds to a pure state then T r(ρ 2 ) = 1, whereas when ρ is a mixed state T r(ρ 2 ) < 1. One of the most important mixed states, which we encounter throughout this review, is the maximally mixed state. The density matrix for this state is I/d, where I is the identity matrix and d is the dimension of the underlying Hilbert space. As an example, the maximally mixed state for a one qubit system is I/2. This state represents the state of maximal uncertainty about quantum system. What this means is that for any basis {|v i } i of the Hilbert space of dimension d, the maximally mixed state is: Equivalently, any projective measurement, specified by a complete basis B, of the maximally mixed state will have all outcomes occurring with equal probability. We will denote the set of all density matrices over some Hilbert space H as D(H).
When performing a measurement on a state ρ, specified by operators {M i } i , the probability of outcome i is given by p(i) = T r(M i M † i ρ) and the post-measurement state will be M i ρM † i /p(i).
Purification. An essential operation concerning density matrices is the partial trace. This provides a way of obtaining the density matrix of a subsystem that is part of a larger system. Partial trace is linear, and is defined as follows. Given two density matrices ρ 1 and ρ 2 with Hilbert spaces H 1 and H 2 , we have that: In the first case one is 'tracing out' system 2, whereas in the second case we trace out system 1. This property together with linearity completely defines the partial trace. For if we take any general density matrix, ρ, on H 1 ⊗ H 2 , expressed as: where {|i } ({|i }) and {|j } ({|j }) are orthonormal bases for H 1 and H 2 , if we would like to trace out subsystem 2, for example, we would then have: An important fact, concerning the relationship between mixed states and pure states, is that any mixed state can be purified. In other words, for any mixed state ρ over some Hilbert space H 1 one can always find a pure state |ψ ∈ H 1 ⊗ H 2 such that dim(H 1 ) = dim(H 2 ) 54 and: Moreover, the purification |ψ is not unique and so another important result is the fact that if |φ ∈ H 1 ⊗ H 2 is another purification of ρ then there exists a unitary U , acting only on H 2 (the additional system that was added to purify ρ) such that: We will refer to this as the purification principle.
CPTP maps. All operations on quantum states can be viewed as maps from density matrices on an input Hilbert space to density matrices on an output Hilbert space, O : D(H in ) → D(H out ), which may or may not be of the same dimension. Quantum mechanics dictates that such a map, must satisfy three properties: 3. Trace preserving: T r(O(ρ)) = T r(ρ).
For this reason, such maps are referred to as completely positive trace-preserving (CPTP) maps. It can be shown that any CPTP map can be equivalently expressed as: for some set of linear operators {K i } i , known as Kraus operators, satisfying: CPTP maps are also referred to as quantum channels. Additionally, we also mention isometries which are CPTP maps O for which O † • O = I.
Trace distance. We will frequently be interested in comparing the "closeness" of quantum states.
To do so we will use the notion of trace distance which generalizes variation distance for probability distributions. Recall that if one has two probability distributions p(x) and q(x), over a finite sample space, the variation distance between them is defined as: Informally, this represents the largest possible difference between the probabilities that the two distributions can assign to some even x. The quantum analogue of this, for density matrices, is: One could think that the trace distance simply represents the variation distance between the probability distributions associated with measuring ρ 1 and ρ 2 in the same basis (or using the same POVM). However, there are infinitely many choices of a measurement basis. So, in fact, the trace distance is the maximum over all possible measurements of the variation distance between the corresponding probability distributions. Similar to variation distance, the trace distance takes values between 0 and 1, with 0 corresponding to identical states and 1 to perfectly distinguishable states. Additionally, like any other distance measure, it satisfies the triangle inequality.
Quantum computation. Quantum computation is most easily expressed in the quantum gates model. In this framework, gates are unitary operations which act on groups of qubits. As with classical computation, universal quantum computation is achieved by considering a fixed set of quantum gates which can approximate any unitary operation up to a chosen precision. The most common universal set of gates is given by: In order, the operations are known as Pauli X and Pauli Z, Hadamard, the T-gate and controlled-NOT. Note that general controlled-U operations are operations performing the mapping |0 |ψ → |0 |ψ , |1 |ψ → |1 U |ψ . The first qubit is known as a control qubit, whereas the second is known as target qubit. The matrices express the action of each operator on the computational basis. A classical outcome for a particular quantum computation can be obtained by measuring the quantum state resulting from the application of a sequence of quantum gates. Another gate, which we will encounter, is the Toffoli gate, or the controlled-controlled-NOT gate, described by the matrix: The effect of this gate is to apply an X on a target qubit if both control qubits are in the |1 state. We also mention an important class of quantum operations known as Clifford operations. To define them, consider first the n-qubit Pauli group: As a useful side note, the n-qubit Pauli group forms a basis for all 2 n × 2 n matrices. The Clifford group is then defined as follows: Where U (2 n ) is the set of all 2 n × 2 n unitary matrices. Clifford operations, therefore, are operations which leave the Pauli group invariant under conjugation. Operationally they can be obtained through combinations of the Pauli gates together with H, CNOT and S = T 2 , in which case they are referred to as Clifford circuits. We note that the T and Toffoli gates are not Clifford operations. However, Clifford circuits combined with either of these two gates gives a universal set of quantum operations.
Bloch sphere. The final aspect we mention is the Bloch sphere, which offers a useful geometric picture for visualizing single qubit states. Any such state is represented as a point on the surface of the sphere.
In Figure 16, one can see a visualization of the Bloch sphere together with the states |0 , |1 , the eigenstates of Z, as well as , the eigenstates of X and + π/2 = 1 √ , the eigenstates of Y. All of the previously mentioned single-qubit operations can be viewed as rotations on this sphere. The Pauli X, Y, Z gates correspond to rotations by π radians around the corresponding X, Y, Z axes. The Hadamard gate, which can be expressed as H = 1 √ 2 (X + Z) acts as a rotation by π radians around the X + Z axis. Lastly, the T gate, corresponds to a rotation by π/4 radians around the Z axis. We will frequently mention the states |+ φ = 1 √ 2 (|0 + e iφ |1 ) and |− φ = 1 √ 2 (|0 − e iφ |1 ) which all lie in the XY-plane of the Bloch sphere, represented in blue in the above figure. These states can be viewed as rotations of the |+ , |− states by φ radians around the Z axis. For example, the |+ π/2 , |− π/2 states are rotations by π/2 around the Z axis of the |+ , |− states. One can also consider measurements in the XY-plane. Any two diametrically opposed states in this plane form a basis for a one-qubit Hilbert space and therefore define a projective measurement. Suppose we choose the basis (|+ φ , |− φ ) and wish to measure the state |+ θ . It can be shown that the probability of the state being projected to |+ φ is cos 2 ((φ − θ)/2), whereas the probability of it being projected to |− φ is sin 2 ((φ − θ)/2). In other words, the probabilities only depend on the angle difference between φ and θ. This fact will prove very useful later on.
Quantum error correction One important consideration, when discussing quantum protocols, is that any implementation of quantum operations will be subject to noise stemming from interactions with the external environment. For this reason, one needs a fault tolerant way of performing quantum computation. This is achieved using protocols for quantum error detection and correction, for which we give a simplified description.
Suppose we have a k-qubit quantum state |ψ on which we want to perform some quantum gate G. The quantum memory storing |ψ as well as the implementation of G are subject to noise. This means that if we were to apply G directly on |ψ the result would be E(G |ψ ), where E is a CPTP error map associated with the noisy application of G. Using the Kraus decomposition, the action of E can be expressed as: where {E j } j is a set of Kraus operators. If one can correct for all E j 's then one can correct for E as well [108].
To detect and correct for errors from the set {E j } j , one first performs an encoding procedure on |ψ mapping it to a so-called logical state |ψ L on n qubits, where n > k. This procedure involves the use of n − k auxiliary qubits known as ancilla qubits. If we denote the state of these n − k ancillas as |anc we then have the encoding procedure Enc(|ψ |anc ) → |ψ L . This state is part of a 2 k -dimensional subspace of the 2 n -dimensional Hilbert space of all n qubits, denoted H. The subspace is usually referred to as the code space of the error correcting code. One way to represent this space is by giving a set of operators such that the code space is the intersection of the +1 eigenspaces of all the operators.
As an example, consider the 3-qubit flip code. We will take k = 1 and n = 3, so that one qubit is encoded in 3 qubits. The code is able to detect and correct for Pauli X errors occurring on a single qubit. The encoding procedure for a state |ψ = a |0 + b |1 maps it to the state |ψ L = a |000 + b |111 . The code space is therefore defined by span(|000 , |111 ). It is also the unique +1 eigenspace of the operators g 1 = Z ⊗ Z ⊗ I and g 2 = I ⊗ Z ⊗ Z 55 . All valid operations on |ψ L must be invariant on this subspace, whereas any error from the set {E j } j should map the state to a different subspace. In this case, valid operations, or logical operations, are the analogues of the single-qubit unitaries that map |ψ → |φ = U |ψ . Thus, a logical operation U L would map |ψ L → |φ L . The error set simply consists of {X⊗I ⊗I, I ⊗X⊗I, I ⊗I ⊗X}. We can see that any of these errors will map a state inside span(|000 , |111 ) to a state outside of this code space. One then defines a projective measurement in which the projectors are associated with each of the 2 n−k subspaces of H. This is called a syndrome measurement. Its purpose is to detect whether an error has occurred and, if so, which error. Knowing this, the effect of the error can be undone by simply applying the inverse operation. For the 3-qubit code, there are 2 3−1 = 4 possible subspaces in which the state can be mapped to, meaning that we need a 4-outcome measurement. The syndrome measurement is defined by jointly measuring the observables g 1 and g 2 . An outcome of +1 for both observables indicates that the state is in the correct subspace, span(|000 , |111 ). Conversely, if either of the two observables produces a −1 outcome, then this corresponds to one of the 3 possible errors. For instance, an outcome of +1 for the first observable and −1 for the second, indicates that the state is in the subspace span(|001 , |110 ), corresponding to an X error on the third qubit. The error is corrected by applying another X operation on that qubit.
Since Kraus operators can be expressed in terms of Paulis acting on the individual qubits, one often speaks about the weight of an error correcting code. If the code can correct non-identity Pauli operations on at most w qubits, then w is the weight of the code.
The smallest error correcting code which can correct for any single-qubit error is the 5-qubit code (i.e. one qubit is encoded as 5 qubits) [76]. This code is used Subsection 4.3.

Measurement-based quantum computation
Since some of the protocols we review are expressed in the model of measurement-based quantum computation (MBQC), defined in [109,110], we provide a brief description of this model.
Unlike the quantum gates model of computation, in MBQC a given computation is performed by measuring qubits from a large entangled state. Traditionally, this state consists of qubits prepared in the state |+ = 1 They are then measured in the basis (|+ φ , |− φ ). These measurements are denoted as M (φ), and depending on the value of φ chosen for each qubit one can perform universal quantum computation. For this to work, the entangled qubits need to form a universal graph state. Such a state consists, for example, of N qubits in the state |+ . These qubits have been entangled according to some graph structure G, such that there exist measurement patterns (an order for measuring the qubits in G and the corresponding measurement angles) for each quantum computation consisting of O(N ) gates. We will denote the graph state of the |+ qubits entangled according to the structure of G as |G .  A universal graph state allows one to perform any quantum computation up to a certain size. An example of such a state is the brickwork state, defined in [37] from which we illustrate Figure 17. To be more precise, suppose we would like to perform some quantum computation described by a circuit consisting of N gates. The corresponding MBQC computation consists of the following steps: 1. Initialization. Prepare O(N ) qubits, each in the state |+ . 2. Entanglement. Entangle the qubits according to some universal graph state structure, such as the brickwork state. 3. Measurement. Measure each qubit, i using M (φ i ), for some angle φ i determined based on the computation we would like to perform. The angles φ i are referred to as the computation angles. 4. Correction. Apply appropriate corrections (Pauli X and Z operations) to the qubits, based on the measurement outcomes.
The last two steps can be performed together. This is because if we would like to apply a Pauli X correction to a qubit, i, before measuring it, we can simply measure it using M (−φ i ). Similarly, if we would like to apply a Pauli Z correction to that same qubit we measure it using M (φ i + π). Therefore, the general measurement performed on a particular qubit will be M ((−1) s φ i + rπ), where s, r ∈ {0, 1} are determined by previous measurement outcomes. One element concerning graph states, which we will encounter in some protocols, is the representation of these states using stabilizers. A stabilizer state for a unitary hermitian operator, O, is some state |ψ such that O |ψ = |ψ . O is referred to as a stabilizer of |ψ . It is possible to specify a state, |ψ , by giving a set of operators, such that |ψ is the unique state which is stabilized by all the operators in the set. As an example, the state |Φ + = (|00 + |11 )/ √ 2 is uniquely stabilized by the set {X ⊗ X, Z ⊗ Z}. Note that the set of all stabilizers for a state forms a group, since if O 1 |ψ = |ψ and O 2 |ψ = |ψ , then clearly O 1 O 2 |ψ = |ψ . So, it is sufficient to specify a set of generators for that group in order to describe the stabilizer group for a particular state.
To specify the generators for the stabilizer group of a graph state |G , let us first denote V (G) as the set of vertices in the graph G and N G (v) as the set of neighbouring vertices for some vertex v (i.e. all vertices in G that are connected to v through an edge). Additionally, for some operator O, when we write O v we mean that O is acting on the qubit from |G associated with vertex v in G. The generators for the stabilizer group of |G are then given by: for all v ∈ V (G). As a final remark, it should be noted that one can translate quantum circuits into MBQC patterns in a canonical way. For instance, the universal gate set mentioned in the previous subsection, and hence any quantum circuit comprising of those gates, can be translated directly into MBQC. See for example [37] for more details.

Complexity theory
As mentioned in the introduction, the questions regarding verification of quantum computation can be easily expressed in the language of complexity theory. To that end, we provide definitions for the basic complexity classes used in this paper. We let {0, 1} * denote the set of all binary strings and {0, 1} n the set of all binary strings of length n. We use standard complexity theory notation and assume familiarity with the concepts of Turing machines and uniform circuits. For a more general introduction into the subject we refer the reader to [111,112].
Definition 5. A language L ⊆ {0, 1} * belongs to BPP if there exist polynomials p, and a probabilistic Turing machine M , whose running time on inputs of size n is bounded by p(n), such that for any x ∈ {0, 1} n the following is true: • when x ∈ L, M (x) 56 accepts with probability at least c, • when x ∈ L, M (x) accepts with probability at most s, where c − s ≥ 1/p(n).
Here, and in all subsequent definitions, c is referred to as completeness and s is referred to as soundness. Traditionally, one takes c = 2/3 and s = 1/3, however, in full generality, the only requirement is that there exists an inverse polynomial gap between c and s. Definition 6. A language L ⊆ {0, 1} * belongs to BQP if there exist polynomials p, and a uniform quantum circuit family {C n } n , where each circuit has at most p(n) gates, such that for any x ∈ {0, 1} n the following is true: • when x ∈ L, C n (x) accepts with probability at least c, • when x ∈ L, C n (x) accepts with probability at most s, where c − s ≥ 1/p(n).
For the quantum circuit C n , acceptance can be defined as having one of its output qubits outputting 1 when measured in the computational basis.
Definition 7. A language L ⊆ {0, 1} * belongs to MA if there exist polynomials p, and a probabilistic Turing machine V , whose running time on inputs of size n is bounded by p(n), such that for any x ∈ {0, 1} n the following is true: • when x ∈ L, there exists a string w ∈ {0, 1} ≤p(n) , such that V (x, w) accepts with probability at least c, • when x ∈ L, for all strings w ∈ {0, 1} ≤p(n) , V (x, w) accepts with probability at most s, where c − s ≥ 1/p(n).
For this class, V is traditionally referred to as the verifier (or Arthur), whereas w, which is the witness string, is provided by the prover (or Merlin). Essentially, the verifier and is tasked with checking a purported proof that x ∈ L, provided by the prover. There is also a quantum version of this class: 56 The notation M (x) means running the Turing machine M on input x. Definition 8. A language L ⊆ {0, 1} * belongs to QMA if there exists a polynomial p and a uniform quantum circuit family {V n } n taking x and a quantum state |ψ as inputs, such that for any x ∈ {0, 1} n the following are true: • when x ∈ L, there exists a quantum state |ψ ∈ H, such that V n (x, |ψ ) accepts with probability at least c, and • when x ∈ L, for all quantum states |ψ ∈ H, V n (x, |ψ ) accepts with probability at most s, where dim(H) ≤ 2 p(|x|) and c − s ≥ 1/p(|x|).
For QMA we also provide the definition of a complete problem 57 since this will be referenced in some of the protocols we review. The specific problem we state was defined by Kitaev et al and is known as the k-local Hamiltonian problem [63]. A k-local Hamiltonian, acting on a system of n qubits, is a hermitian operator H that can be expressed as H = i H i , where each H i is a hermitian operator which acts non-trivially on at most k qubits. We give the definition of the k-local Hamiltonian problem from [104]: Definition 9 (The k-local Hamiltonian (LH) problem).
• Input: H 1 , . . . , H m , a set of m Hermitian matrices each acting on k qubits out of an n-qubit system and satisfying H i ≤ 1. Each matrix entry is specified by poly(n)-many bits. Apart from the H i we are also given two real numbers, a and b (again, with polynomially many bits of precision) such that Γ = b − a > 1/poly(n). Γ is referred to as the absolute promise gap of the problem. • Output: Is the smallest eigenvalue of H = H 1 +H 2 +...+H m smaller than a or are all its eigenvalues larger than b?
Essentially, for some language L ∈ QMA, and given a and b, one can construct a k-local Hamiltonian such that, whenever x ∈ L, its smallest eigenvalue is less than a and whenever x ∈ L, all of its eigenvalues are greater than b. The witness |ψ , when x ∈ L, is the eigenstate of H corresponding to its lowest eigenvalue (or one such eigenstate if the Hamiltonian is degenerate). The uniform circuit family {V n } n represents a BQP verifier, whereas the state |ψ is provided by a prover. The verifier receives this witness from the prover and measures one of the local terms H i (which is an observable) on that state. This can be done with a polynomial-size quantum circuit and yields an estimate for measuring H itself. Therefore, when x ∈ L and the prover sends |ψ , with high probability the verifier will obtain the corresponding eigenvalue of |ψ which will be smaller than a. Conversely, when x ∈ L, no matter what state the prover sends, with high probability, the verifier will measure a value above b. The constant k, in the definition, is not arbitrary. In the initial construction of Kitaev, k had to be at least 5 for the problem to be QMA-complete. Subsequent work has shown that even with k = 2 the problem remains QMA-complete [64].
Definition 10. A language L ⊆ {0, 1} * belongs to IP if there exist polynomials p, and a probabilistic Turing machine V , whose running time on inputs of size n is bounded by p(n), such that for any x ∈ {0, 1} n the following is true: • when x ∈ L, there exists a prover P which exchanges at most p(n) messages (of length at most p(n)) with V and makes V accept with probability at least c, • when x ∈ L, any prover P which exchanges at most p(n) messages (of length at most p(n)) with V , makes V accept with probability at most s, where c − s ≥ 1/p(n).
While the previous are fairly standard complexity classes, we now state the definition of a more non-standard class, which first appeared in [26]: Definition 11. A language L ⊆ {0, 1} * belongs to QPIP if there exist polynomials p, a constant κ and a probabilistic Turing machine V , whose running time on inputs of size n is bounded by p(n), and which is augmented with the ability to prepare and measure groups of κ qubits, such that for any x ∈ {0, 1} n the following is true: • when x ∈ L, there exists a BQP prover P which exchanges at most p(n) classical or quantum messages (of length at most p(n)) with V and makes V accept with probability at least c, • when x ∈ L, any BQP prover P which exchanges at most p(n) classical or quantum messages (of length at most p(n)) with V , makes V accept with probability at most s, where c − s ≥ 1/p(n).
Some clarifications are in order. The class QPIP differs from IP in two ways. Firstly, while computationally the verifier is still restricted to the class BPP, operationally it has the additional ability of preparing or measuring groups of κ qubits. Importantly, κ is a constant which is independent of the size of the input. This is why this extra ability does not add to the verifier's computational power, since a constant-size quantum device can be simulated in constant time by a BPP machine. Secondly, unlike IP, in QPIP the prover is restricted to BQP computations. This constraint on the prover is more in line with Problem 1 and it also has the direct implication that QPIP ⊆ BQP. As we will see, all the protocols in Section 2 and Section 3 are QPIP protocols. And since these protocols allow for the delegation of arbitrary BQP problems, it follows that QPIP = BQP. We now proceed to the multi-prover setting and define the multi-prover generalization of IP: Definition 12. A language L ⊆ {0, 1} * belongs to MIP[k] if there exist polynomials p, and a probabilistic Turing machine V , whose running time on inputs of size n is bounded by p(n), such that for any x ∈ {0, 1} n the following is true: • when x ∈ L, there exists a k-tuple of provers (P 1 , P 2 , ...P k ) which are not allowed to communicate and which exchange at most p(n) messages (of length at most p(n)) with V and make V accept with probability at least c, • when x ∈ L, any k-tuple of provers (P 1 , P 2 , ...P k ) which are not allowed to communicate and which exchange at most p(n) messages (of length at most p(n)) with V , make V accept with probability at most s, where c − s ≥ 1/p(n).
Note that MIP[1] = IP and it was shown that for all k > 2, MIP[k] = MIP[2] [113]. The latter class is simply denoted MIP. If the provers are allowed to share entanglement then we obtain the class: Definition 13. A language L ⊆ {0, 1} * belongs to MIP * [k] if there exist polynomials p, and a probabilistic Turing machine V , whose running time on inputs of size n is bounded by p(n), such that for any x ∈ {0, 1} n the following is true: • when x ∈ L, there exists a k-tuple of provers (P 1 , P 2 , ...P k ) which can share arbitrarily many entangled qubits, are not allowed to communicate and which exchange at most p(n) messages (of length at most p(n)) with V and make V accept with probability at least c, • when x ∈ L, any k-tuple of provers (P 1 , P 2 , ...P k ) which can share arbitrarily many entangled qubits, are not allowed to communicate and which exchange at most p(n) messages (of length at most p(n)) with V , make V accept with probability at most s, where c − s ≥ 1/p(n).
As before it is the case that MIP * [k] = MIP * [2] and this class is denoted as MIP * [114]. It is not known whether MIP = MIP * , however, it is known that both classes contain BQP. Importantly, for MIP * protocols, if the provers are restricted to BQP computations, the resulting complexity class is equal to BQP [19]. Most of the protocols presented in Section 4 are of this type. Note that while the protocols we review can be understood in terms of the listed complexity classes, we will often give a more fine-grained description of their functionality and resources than is provided by complexity theory. To give an example, for a QPIP protocol, from the complexity theoretic perspective, we are interested in the verifier's ability to delegate arbitrary BQP decision problems to the prover by interacting with it for a polynomial number of rounds. In practice, however, we are interested in a number of other characteristics of the protocol such as: • whether the verifier can delegate not just decision problems, but also sampling problems (i.e. problems in which the verifier wishes to obtain a sample from a particular probability distribution and is able to certify that, with high probability, the sample came from the correct distribution), • whether the prover can receive a particular quantum input for the computation or return a quantum output to the verifier, • having minimal quantum communication between the verifier and the prover, • whether the verifier can "hide" the input and output of the computation from the prover.