Securing Quantum Computations in the NISQ Era

Recent experimental achievements motivate an ever-growing interest from companies starting to feel the limitations of classical computing. Yet, in light of ongoing privacy scandals, the future availability of quantum computing through remotely accessible servers pose peculiar challenges: Clients with quantum-limited capabilities want their data and algorithms to remain hidden, while being able to verify that their computations are performed correctly. Research in blind and verifiable delegation of quantum computing attempts to address this question. However, available techniques suffer not only from high overheads but also from over-sensitivity: When running on noisy devices, imperfections trigger the same detection mechanisms as malicious attacks, resulting in perpetually aborted computations. Hence, while malicious quantum computers are rendered harmless by blind and verifiable protocols, inherent noise severely limits their usability. We address this problem with an efficient, robust, blind, verifiable scheme to delegate deterministic quantum computations with classical inputs and outputs. We show that: 1) a malicious Server can cheat at most with an exponentially small success probability; 2) in case of sufficiently small noise, the protocol succeeds with a probability exponentially close to 1; 3) the overhead is barely a polynomial number of repetitions of the initial computation interleaved with test runs requiring the same physical resources in terms of memory and gates; 4) the amount of tolerable noise, measured by the probability of failing a test run, can be as high as 25% for some computations and will be generally bounded by 12.5% when using a planar graph resource state. The key points are that security can be provided without universal computation graphs and that, in our setting, full fault-tolerance is not needed to amplify the confidence level exponentially close to 1.


I. INTRODUCTION
Quantum computing promises unparalleled power for solving certain problems such as database search [1] or integer factoring [2]. Recent experimental progress showed that the limit of classical un-simulatability is now within reach, if not already surpassed [3]. In this regime, quantum computers become so powerful that their classical counterparts cannot simulate their computation in a reasonable time.
On the one hand, this has triggered a lot of interest from all stakeholders starting to feel the limitations of classical computing power and wanting to prepare for the inevitable slow-down of Moore's law, i.e. from academic labs all the way to industry users. This, in turn, has driven most recent algorithmic and software developments in the field. More and more use cases are being studied with the goal of running useful computations on these devices as soon as their capabilities allow it.
On the other hand, because the cloud is emerging as the preferred way of accessing quantum computing capabilities, the questions of data and algorithm confidentiality as well as computation integrity are taking a particularly acute importance. First, it is expected that only the most crucial and strategic computations will be run on these quantum computers, thus making these systems ideal targets for sophisticated hacking. Second, disruption caused by (un)intentional mis-computations could stay undetected in absence of means to check the result. In case of detection, it could still be difficult to pin-point the failing component due to the impossibility of follow-ing exactly the progress of quantum computations. Several methods for eschewing this hurdle have been devised in the past (see e.g. [4,5] and [6] for a review).
In spite of the answers brought by the existence of these protocols, the initial questions are far from being resolved, even from a theoretical standpoint. This is because currently known verifiable protocols are too sensitive to be of practical use. Indeed, they have been developed for noiseless devices and have been optimized to detect the smallest fiddling and abort quickly. Unfortunately, replacing perfect devices by even slightly noisy ones is not an option: the verification procedure would keep aborting, mistakenly thinking that plain imperfections are in fact the signature of malicious behaviour.
Several options for dealing with this sensitivity have been discussed in the past. Previous research explored giving up blindness [7], imposing restrictions on the noise model [8], moving towards the double server setting with classical clients and no classical communication between the servers [9], or finally going to the computationallysecure regime [10]. Yet, to obtain exponential security, these works would still require fully fault-tolerant computations, thus making them impractical for NISQ era devices.
As a consequence, before the availability of large faulttolerant machines, clients could do their best to mitigate the effect of noise on their computations but, regarding security, would still be left with no better alternative than to either give up their objectives entirely or try to convince themselves that providers are not as malicious as they could be. By running computations whose outcomes are known in advance, they could benchmark the performance and quality of the devices used (see e.g. [11][12][13]), and ultimately decide to trust or not future runs of the service. Yet, such strategy falls short of the security expectations of most users because no benchmark entails future fulfilment of the provider's promises: benchmarking is not verifying. It might only serve a posteriori to demonstrate that the provider cheated during the benchmark, but would not help preventing a deviant behaviour at the time of computation.
In this paper, we propose a solution to both error mitigation and security issues by introducing a verifiable, blind and delegated quantum computing protocol for deterministic computations with classical inputs and outputs, that is also robust to noise (Section III). It relies on the Measurement-Based model of Quantum Computation (MBQC) as it is the most natural one for delegation (see Section II for a short introduction to MBQC and its blind and trappified versions). The robustness of the protocol means that there is no need to give up the ambition to provide security in a fully malicious adversarial model because of noise. More precisely, we show in Section IV A that, without any restriction on the adversary, any attempt at disturbing the computation will either be caught or error-corrected and made ineffective with high probability. Hence, in the presence of noise that can be error-corrected by our scheme, the computation will be accepted with probability exponentially close to 1. To do this, we will repeat the computation several times while interleaving these executions with test runs aimed at detecting a dishonest behaviour of the Server. The interplay between computations and tests will turn in our favour as it will both offer noise-robustness and exponential security. The robustness will come from the error-correcting capability offered by majority voting, while the exponential security results from the blindness of the scheme which forces the Server to attack at least half the runs to have a chance to corrupt the computation. This in turn necessarily heightens its chances of getting caught.
We want to stress here that we make no assumption on the adversary in the process. The adversary can be as malicious as it wants and the security will not be compromised. Indeed, the security is information theoretic and provided in the composable framework of Abstract Cryptography (see [14,15] for an introduction). It ensures it will not be jeopardised by subsequent or simultaneous instantiations in conjunction with other protocols. Any noise is treated as an adversarial deviation, which is detectable by our cryptographic tool. This is a fundamental property that cannot be obtained via any other certification approach [16] without using a masking scheme providing blindness.
The key technical element used in this work is the recognition that, for deterministic classical-input classical-output computations, fault-tolerance is not required to error-correct the lightest attacks, thus allowing to boost the probability of acceptance of the protocol for noisy devices while still rightfully aborting when the per-ceived disturbance would risk overwhelming the classical error-correcting capabilities of the scheme. The practical implication is the absence of overhead for each run used in the protocol when compared to the same non-robust, non-verifiable, blind delegated quantum computation in the MBQC model. In fact, the only overhead of our scheme is to require the repetition of computations similar to the unprotected one (i.e. same size, connectivities and gate set) a polynomial number of times in order to get not only exponential security, but also exponential acceptance when the noise is not too strong. In particular, it does not increase the quantum memory requirement nor require additional simultaneous entanglement between quantum systems, thus being ideal for near-term implementations where each run could be carried out either sequentially on a single machine or in parallel using several ones.

II. MEASUREMENT-BASED QUANTUM COMPUTING
This section provides a brief overview of various useful notions linked to our model of computation, namely the Measurement-Based Quantum Computing (MBQC) and its blind and verifiable variants. Based on the gateteleportation principle, this model is equivalent to the circuit model and is a natural setup for considering delegated computations, i.e. when a Client with limited quantum capabilities instructs a more powerful Server to perform a computation on his behalf. We assume familiarity with the main other concepts of quantum information (see e.g. [17] for details) and refer the reader to [18] for a more in-depth introduction to MBQC.
From now on, we use the following notations. Z θ denotes the operator

A. Basic MBQC Definitions
The basic MBQC Protocol for classical inputs and outputs can be summarized as follows. Any computation chosen by the Client is first translated into a graph G = (V, E), where two vertices sets I and O define input and output vertices, and a list of angles To run a computation, the Client instructs the Server to prepare the graph state |G : for each vertex in V , the Server creates a qubit in the state |+ and performs a CZ gate for each pair of qubits forming an edge in G. The Client then asks the Server to measure each qubit of V along the basis the order defined by the flow of the computation. The corrected angle φ v is given by for binary values of s X v and s Z v that depend only on the outcomes of previously measured qubits and the flow. More details about the flow and the update rules for the measurement angles can be found in [19,20].

B. Hiding the Computation
The computation can be totally hidden by using the following observation: if, instead of the Server preparing each qubit in the graph in the state |+ , the Client sends |+ θv with θ v ∈ R Θ, where ∈ R indicates that a value was sampled from a set uniformly at random, then measuring the qubits in a similarly rotated basis, obtained by adding θ v to the measurement angle, has the same result as the initial computation. If the Client keeps the angle θ v hidden from the Server, the Server is completely blind on what computation is being performed. The angle θ v acts as a One-Time Pad for the measurement angle φ v . Nevertheless, because the Server could always measure the received qubits, it would still learn 1 bit of information about the angle θ v , which can take 8 values and so consists of 3 bits. To prevent this, another parameter r v is added for each qubit. The resulting measurement angle sent to the Server is then The parameter r v serves as a One-Time-Pad for the measurement outcome: if b v is now the outcome returned by the Server, then we have s v = b v ⊕r v with s v defined as above. In short, the Client sends randomly rotated qubits that appear maximally mixed to the Server and that become the resource state once entangled. It then guides the computation with a set of classical instructions that are adapted to the effectively prepared resource state but still look perfectly random to the Server. It is the combination of these two parts (quantum state preparation and classical instructions) that leads to the desired blind computation. This idea was first formalized in the Universal Blind Quantum Computation (UBQC) Protocol in [4].
This technique was used previously in protocols that also imposed the computation to be embedded in a universal graph such as brickwork graphs or dotted-complete graphs [5,21]. This last requirement however caused a blow-up in the number of qubits since the Client could not choose the most optimal graph for its desired computation but had to make it fit these universal graphs. Relaxing this requirement allows us to work directly with the same graph as the one used for the Client's desired computation rather than an expanded one. While this leaks the information about the underlying computation graph, all the parameters (i.e. angles) remain hidden, which turns out to be sufficient for blindness. The result is a drastic reduction of required memory qubits on the Server's side.

C. Verifiability Through Trap Insertion
In UBQC, the Server is not forced to follow the instructions and the Client can not verify if the computation is done correctly, but a modified version of the protocol allows for such verification. The central idea is to include trap qubits at positions unknown to the Server [5]. The conditions for successfully inserting traps are that they should have deterministic outcome if measured in the correct basis, should remain undetectable by the Server, and should not affect the computation.
To do this, the Client can send dummy qubits, meaning qubits randomly initialized in states {|0 , |1 } instead of the usual |+ θ . This has the effect of breaking the graph at this vertex, removing it from G along with any attached edges. Sending such dummies for all neighbours of a vertex isolates it from the rest of the graph, creating a trap. If measured in the same basis as the one used for their preparation, these traps yield deterministic outcomes while being undetectable by the Server. The latter is due to the fact that dummies appear as maximally mixed qubits from the Server's perspective and are thus no different than regular randomly chosen |+ θ states. The last condition to satisfy -the possibility to still run the initial computation -is more challenging. Without further assumptions, it requires the traps to be inserted within a modified graph that contains the computation to be performed. This results in a supplementary overhead in terms of stored qubits and applied gates compared to the UBQC version of the computation. The first protocol achieving verification through trappification was introduced in [5] and achieved a quadratic overhead in the number of qubits. It was later optimized, such as in the Verifiable Blind Quantum Computation Protocol (or VBQC) of [21] or in [22] to achieve a linear overhead.
The specificity of this paper is its focus on classical inputs and classical outputs. While this case covers the majority of current use cases of quantum devices, its main virtue is to allow for simple trap insertion strategies consisting of interleaving pure computation runs (i.e. without inserted traps) with pure test runs (i.e. only made up of traps). This simplicity will in turn lead to a simple amplification scheme yielding the desirable exponential confidence in the result of the verification procedure compared to the previous protocols that required full faulttolerance universal schemes to achieve this level of confidence, thus blowing up the overhead.
More precisely, given a UBQC computation defined by a graph G, we construct test runs based on a k-colouring where N G (v) are the neighbours of v in G. Hence, for each colour i, the Client could decide to insert traps for all vertices of V i while placing dummies in all other positions. This defines the test run associated to colour i. It is easy to check that the traps inserted in this way are isolated from other qubits, thus giving deterministic outcomes when measured in their preparation basis, and FIG. 1. An example set of runs of the proposed protocol. Graphs in grey denote computation runs while graphs containing red nodes (traps) and green nodes (dummies) are test runs. This example graph on five nodes is completely covered with traps by the presented three types of test runs. Note that the Server remains completely oblivious of the differences between the runs, which are solely known to the Client. that they are undetectable from the Server as a test run results for the Server in applying the same sequence of operations as for the regular UBQC computation. The next section will describe how test runs can be used in conjunction with computation runs, i.e. regular UBQC computations, to achieve verified computation.

III. NOISE-ROBUST VERIFIABLE PROTOCOL
While our Noise-Robust VBQC Protocol is formally defined in Protocol 1, we want to introduce it more intuitively in the next paragraphs in order to emphasize the features that make it suitable for practical purposes.
We now suppose that the Client has settled to perform a fixed computation which it has translated into a computational measurement pattern to be run on a graph G. It has also chosen a colouring {V i } i∈[k] of G and has sent it to the Server along with the graph G.
The Client will now run the UBQC Protocol n times successively, but with different update rules for the measurement angles. For d of the runs chosen at random, the Client will update the measurement angles according to the computational measurement pattern thus resulting in computation runs. The remaining t := n − d runs will be turned into test runs. More precisely, for each test run, the Client will secretly choose a colour at random and send traps for vertices of that colour and dummies everywhere else. As stated earlier, the trap qubits will be isolated from each other by the dummies. The Client then instructs the Server to measure all qubits as in computation runs, but with the measurement angle of trap qubits corresponding to the basis they were prepared in and a random measurement basis for the dummies. A test run is said to have passed if all the traps yield the expected measurement results, and is said to have failed otherwise. Figure 1 depicts one possible such succession of computation and test runs.
A direct consequence of this construction is that all runs share the same underlying graph G, the same order for the measurements of qubits, and all angles are chosen from the same uniform distribution. We will prove formally later that this implies blindness -i.e. the Server cannot distinguish computation and test runs, nor tell which qubits are traps -which in turn makes this trap insertion strategy efficient to obtain verifiability.
At the end of the protocol, the Client counts the num-ber of test runs where at least one trap measurement has failed. If this number is higher than a given threshold w, the Client aborts the protocol by sending the message Abort to the Server. 1 Otherwise it sets the majority outcome of the computation runs as its output and sends message Ok to the Server. The parameters n, d, t, w defined above are fixed for a given instantiation of the protocol and are publicly available to both parties in addition to the graph G and the colouring {V i } i∈ [k] . Their influence on the security bounds and on the noise-robustness of our protocol are detailed in the next sections along with the constraints they must abide.
a. Redo Feature. Because the Client or the Server may experience failures in their experimental system, they might wish to discard and redo a run j ∈ [n]. In such situation, one of the parties can send a Redo j request to the other, in which case the parties simply repeat the exact same run albeit with fresh randomness. To prevent the Client from post-selecting on the measurement results returned by the Server, the Redo j request is allowed only so long as the party asking for it is still supposed to be manipulating the qubits of run j.
We show in the next section that this does not impact the blindness nor verifiability of the scheme. This means that a dishonest Server cannot use Redo requests to trick the Client into accepting an incorrect result.
However, this capability of our protocol has an important practical impact: without this possibility, honest failures of the experimental devices happening during a test run would be counted as a failed test run, thus decreasing drastically the likelihood of successfully performing a verified computation, i.e. getting an Ok. Here, as they can be safely ignored, the only consequence of experimental failures is to increase the expected number of repeated runs. Note that, it is possible for the Client to choose the secret variables for all runs in advance, taking into account the probability that a given run j will not be redone

Protocol 1 Noise-Robust VBDQC with Deterministic Classical Output
Inputs: The Server has no input. The Client has as input: • Angles {φv} v∈V and flow f on graph G.
• Classical input to the computation x ∈ {0, 1} #I . Protocol: 1. The Client chooses uniformly at random a partition (C, T ) of [n] (C ∩ T = ∅) with #C = d, the sets of indices of the computation and test runs respectively. 2. For j ∈ [n], the Client and the Server perform the following sub-protocol (the Client may send message Redoj to the Server before step 2.c while the Server may send it to the Client at any time, both parties then restart run j with fresh randomness): (a) If j ∈ T (test), the Client chooses uniformly at random a colour Vj ∈R {V k } k∈ [K] (this is the set of traps for this test run). (b) The Client sends #V qubits to the Server (where #X is the size of X). If j ∈ T and the destination qubit v / ∈ Vj is a non-trap qubit (therefore a dummy), then the Client chooses uniformly at random dv ∈R {0, 1} and sends the state |dv . Otherwise, the Client chooses at random θv ∈R Θ and sends the state |+ θv . (c) The Server performs a CZ gate between all its qubits corresponding to an edge in the set E. (d) For v ∈ V , the Client sends a measurement angle δv, the Server measures the appropriate corresponding qubit in the δv-basis, returning outcome bv to the Client. The angle δv is defined as follows: • If j ∈ C (computation), it is the same as in UBQC, computed using the flow and the computation angles {φv} v∈V . For v ∈ I (input qubit) the Client usesθv = θv + xvπ in the computation of δv.
3. For all j ∈ T (test run) and v ∈ Vj (traps), the Client verifies that bv = rv ⊕ dv, where dv = i∈N G (v) di is the sum over the values of neighbouring dummies of qubit v. Let c fail be the number of failed test runs (where at least one trap qubit does not satisfy the relation above), if c fail ≥ w then the Client aborts by sending message Abort to the Server. 4. Otherwise, let yj for j ∈ C be the classical output of computation run j (after corrections from measurement results). The Client checks whether there exists some output value y such that # {yj | j ∈ C, yj = y} > d 2 . If such a value y exists (this is then the majority output), it sets it as its output and sends message Ok to the Server. Otherwise it sends message Abort to the Server. due to experimental defects. If this probability of not resetting a run on honest devices is given by p succ , then the number of runs to be pre-sampled by the Client is N = O n psucc , with the same proportion of computation d/n and test runs t/n. b. Exponential Security Amplification Feature. The above approach to trap insertion is efficient as the only overhead is the repetition of the same sub-protocol. Yet, as such, it would seemingly only achieve a security bound that is inverse-polynomial in the number of runs. For instance, using a single computation run and n − 1 test runs would let a 1/n chance for the Server to corrupt the computation run. The only previously-known method to reduce the cheating probability to exponentially-low bounds was to insert traps into a single computation run at the expense of using a more complicated graph and then using fault-tolerant quantum error-correction codes to achieve the desired amplification of the security. By restricting our target to classical inputs and outputs, we will prove that it is sufficient to use only a classical repetition error-correcting code to go from inverse polynomial to exponentially-low cheating probability.
There are two practical impacts of this ability. The first one is an economy in terms of qubits and gates required to perform a computation up to the point where fully fault-tolerant Servers are not the only option to implement VBQC schemes. The second relates to security: even though our protocol will be proven secure in case of sequential and parallel executions, each use of the protocol still offers more opportunities for an attacker to succeed. Hence, through exponential security amplification, Clients can rely on a verifiable delegated quantum computation service provider for an indefinite amount of time: Lowering the single run cheating probability to cope with a linear number of potential uses requires only a logarithmic increase of resources devoted to the security of their computations (in terms of number of repetitions).
Note that such amplification is a common and rather intuitive feature for purely classical scenarios where attacks can be correlated across various rounds. Although this claim has been made as well in the quantum case in previous works [5,8,21], it remained up to now unproven. The difficulty that the following section addresses is that, in the quantum realm, attacks can be entangled across rounds in a way that is much more powerful than what is possible with classical correlations.

A. Security Analysis
We show in this section that the protocol presented above is secure in the Abstract Cryptography Framework of [14]. In this framework, security means that an Ideal Resource, secure by definition, cannot be distinguished from its real-world implementation, i.e. the protocol. To assess this property, all parties accessing the ideal and real setups will be represented by a single distinguisher. Its purpose is to choose the inputs to both setups and to try to tell them apart by analysing exchanged messages as well as obtained outputs. When the protocol is meant to be secure against some malicious parties, the distinguisher will additionally have the possibility to deviate from instructions sent to these potentially malicious parties, thus granting it even more opportunities to tell both setups apart (see [23] for an introduction to Abstract Cryptography applied to QKD).
Abstract Cryptography has two main virtues. First, because the Ideal Resource is secure by design and indistinguishable from the real-world implementation, so is the latter. This implies a higher standard of security than in other approaches (see e.g. [24] and Section 5.1 of [23]). Second, it is by construction composable. This means that security holds in situations where the protocol is repeated sequentially, used in parallel or used in conjunction with other protocols. As a consequence, the security of our protocol will hold in a wide range of situations of practical interest such as when different runs are distributed to different machines to reduce the overall execution time.
Here, instead of following the direct approach to proving security outlined above, we will take a slightly different path. We will use the results of [15] that reduce security of a Verifiable Delegated Quantum Computation Protocol to the conjunction of four stand-alone criteria: • cor -local-correctness, which is satisfied if the protocol with honest players outputs the expected output; • bl -local-blindness, meaning that the malicious Server's state at the end of the protocol is indistinguishable from the one which it could have generated on its own; • ver -local-verifiability, if either the Client accepts a correct computation or aborts at the end of the protocol. • ind -independent-verification, i.e. the Server can determine on its own, using the transcript of the protocol and its internal registers, whether the Client will decide to abort or not.
Then, the Local-Reduction Theorem (Corollary 6.9 from [15]) gives the following: If a protocol implements a unitary transformation on classical inputs and is cor -locally-correct, bl -locally-blind and ver -locallyverifiable with ind -independent verification, then it is -composably-secure with: The reader is reported to Appendix B for formal definitions of the Ideal Resource and the local criteria described above.
With this at hand, we can state our main result: Theorem 1 (Security of Protocol 1). For n = d + t such that d/n and t/n are fixed in (0, 1) and w such that w/t is fixed in (0, 1/2k), Protocol 1 with d computation runs, t test runs, and a maximum number of tolerated failed test runs of w is -composably-secure with = 4 √ 2 ver and with ver exponentially small in n.
In the paragraphs below, we show that our protocol satisfies each of the stand-alone criteria before combining them to get composable security.
a. Perfect Local-Correctness. On perfect (nonnoisy) devices, local-correctness is implied by the correctness of the underlying UBQC Protocol. This is because all the completed computation runs correspond to the same deterministic UBQC computation, and that on such devices, general UBQC Protocols have been proven to be perfectly correct [4,15]. Thus cor = 0.
b. Perfect Local-Blindness. In case the computation is accepted, each run looks exactly like a UBQC computation to the Server. Therefore the blindness comes directly from the composability of the various UBQC runs that make our protocol [15]. In case the computation is aborted, we need to take into account the fact that a possibly malicious Server could deduce the position of a trap qubit. That could be the case if it attacked a single position in the test runs and got caught. Yet, as the position of the traps is not correlated to the input nor to the computation itself, knowing it does not grant additional attack capabilities to the Server, and blindness is recovered again as a consequence of the blindness of UBQC. More detailed statements can be found in Appendix C, where it is also shown that Redo requests have no effect on the local-blindness of the scheme.
c. Perfect Local-Independent-Verification. Because in our protocol, the Client shares with the Server whether the computation was a success or an abort, this is trivially verified.
d. Exponential Local-Verifiability. Local-verifiability is satisfied if any deviation by the possibly malicious Server yields a state that is ver -close to a mixture of the correct output and the Abort message. Equivalently, the probability that the Server makes the Client accept an incorrect outcome is bounded by ver . Let d/n, t/n and w/t be the ratios of test, computation and tolerated failed test runs. Our protocol's local-verifiability is given by Lemma 1 and is proven in Appendix D. We give below a sketch of the main ideas yielding the result.
Lemma 1 (Local Verifiability of Protocol 1). Let 0 < w/t < 1/2k and 0 < d/n < 1 be fixed ratios, for a k the number of different test runs. Then, Protocol 1 is ver -locally-verifiable for exponentially-low ver .
Proof Sketch. The first step is to describe all the messages received by the Client during the execution of the protocol without making assumptions on the behaviour of the Server. This comprises the outcomes of the computational runs, but also the measurement of trap qubits and of any other qubit used in the computation or in the tests. Following [5], this can be expressed as the state one would obtain in the perfect protocol followed by a pure deviation on this state.
The second step consists of using this state to bound the probability of failure, i.e. the probability of accepting the computation but having the wrong result. This happens if at least d/2 outcomes of the computation runs have had at least one bit-flip, and no more than w test runs have failed.
In the third step, we use the randomisation over the prepared qubits and measurement angles to twirl the deviation of the Server and to reduce it to diagonal form in the Pauli basis. This further simplifies the expression for the bound.
The fourth step exploits this reduced form of the attack by noticing that it can be dealt with in a classical fashion. To this end, possible attacks are classified using two criteria: 1. Does the attack affect at least d/2 computation runs? Only such attacks stand a chance to corrupt the result of the computation, otherwise the repetition code automatically corrects the deviations. 2. Does the attack make less than w of the t test runs fail? Only then will the deviations be tolerated without triggering a client-side abort.
Depending on the answer to the questions above, the attack falls in one of four regimes. Optimally, the protocol would abort if and only if the result of the computation is corrupted. Clearly, we cannot hope to perfectly achieve this. We therefore must take into account two types of incorrect categorisation. A false positive happens when the protocol aborts although less than d/2 computation runs have been affected. While this is undesirable behaviour in terms of noise-tolerance, it does not affect security. Since we are here analysing the verifiability of our protocol, we are solely concerned about false nagatives: the attack affects at least d/2 computation runs and no abort is triggered. To achieve a satisfying level of security, no attack should falls into this regime with more than negligible probability. For intuition's sake, we give here an analysis of the average case (Figure 2). If the Server deviates in exactly half of the runs on a single qubit (which we suppose to be sufficient for corrupting the computation), the number of affected computation runs will be d/2 on average. In other words, there are good chances that just enough computation runs are affected to corrupt the final result. This is because the attacker is blind and hence the deviations are randomly distributed over computation and test runs. Similarly, we expect the number of affected test runs to be t/2. Considering that any qubit in a run has a probability of 1/k to be a trap, we expect the number of failed test runs, i.e. the number of test runs with at least one affected trap, to be t/2k. As a consequence, choosing w ≥ t/2k cannot lead to a secure protocol, since the simple attack described above has a non-negligible probability of corrupting the final result while remain-ing unnoticed. Conversely, setting w ≤ t/2k foils this strategy.
The proof presented in Appendix D goes beyond this average case analysis by showing that this attack is essentially optimal. It uses concentration bounds for the underlying probability distributions to obtain precise bounds that are exponentially-low in the various parameters.
e. Proof of Exponential Composable-Security. Our protocol has perfect correctness (for noiseless devices), blindness and input-independent verification. In addition, it is ver -locally-verifiable with ver exponentially small in n. Therefore, by the Local-Reduction Theorem, it is -composably-secure with = δ = 4 √ 2 ver and exponentially small in n. Note that because we used the Local-Reduction Theorem to obtain composable security, we incurred an additional square root on our verifiability bound given by Equation 1 and needed to satisfy the additional independence property. This is of course not required if the protocol is meant to be used in a standalone setting such as in early NISQ-era experiments.

Local-Correctness on Honest-but-Noisy Devices
The local-correctness property discussed in the previous section did not take into account device imperfections. In fact, the analysis of blindness and verification makes no distinction between these imperfections and potentially malicious behaviours. Although satisfying these properties makes our protocol a concrete implementation of the Ideal Resource for Verifiable Delegated Quantum Computation, it could still fall short of expectations in terms of usability. Fortunately, for a class of realistic imperfections, our protocol has the additional property of being capable of correcting their impact and accepting with high probability. The final outcome is then the same as that obtained on noiseless devices with honest participants.
This additional noise-robustness property, the main innovation of this paper, amounts to prove that Protocol 1 satisfies the local-correctness property with negligible cor for noisy honest Client and/or Server devices. We prove this property under the following restrictions: • The noise can be modelled by run-dependent Markovian processes -i.e. a possibly different arbitrary CPTP map acting on each run. • The probability that at least one of the trap measurements fails in any single test run is upperbounded by some constant p max < 1/2 and lowerbounded by p min ≤ p max .
Theorem 2 states that, in order for the protocol to terminate correctly with overwhelming probability on these noisy devices, w should be chosen such that w/t > p max .  2. Because of blindness, an attack on less than half of the runs is likely to affect less than d/2 computation runs. Such attack being error corrected, the protocol should output a result. On the contrary, if an attack is performed on more than half the runs, it has a chance to corrupt the computation and the result should not be trusted. Likewise, in the first case, less than t/2 test runs should be affected, while in the second more than t/2 should be. Yet, there are only 1/k test qubits per test run meaning that affected test runs turn into failed test runs with 1/k probability. If the threshold value w is set below t/2k, aborts are thrown only when there is a effective risk of tampering. Here, we arbitrarily test k = 4.
Conversely, for any choice of w/t < p min , we show that the protocol aborts with overwhelming probability. See Appendix E for its formal version and proof.
Theorem 2 (Local-Correctness of VDQC Protocol on Noisy Devices (Informal)). Assume a Markovian rundependent model for the noise on Client and Server devices and let p min ≤ p max < 1/2 be respectively a lower and an upper-bound on the probability that at least one of the trap measurement outcomes in a single test run is incorrect. If w/t > p max , Protocol 1 is cor -locallycorrect with exponentially low cor . On the other hand, if w/t < p min , then the probability that Protocol 1 terminates without aborting is exponentially low.
Proof Sketch. Similarly to the previous proof for verifiability, we will here give an intuitive average-case analysis. The full proof uses similar concentration bounds.
Starting with the case where w > tp max , we need to analyse the probability that the computation and the Client accepts it without aborting. This happens if the noise has not disturbed too many computation and test runs (less than d/2 and w respectively). These events are independent and are analysed as such in the following since the noise is independent across runs and the nature of each run is chosen uniformly at random.
If we assume that any corruption on a single qubit of a computation run leads to a corrupted computation, we deduce that p max is also an upper-bound on the probability that the outcome of the computation is incorrect. We can then upper-bound the number of failed computation runs by a random variable that follows (d, p max )-binomial distribution, of mean dp max . Since p max < 1/2, we have that dp max < d/2 and therefore the noise will not corrupt the computation.
Regarding the test runs, a similar reasoning gives that it is also possible to upper-bound the number of failed test runs by random variable following a (t, p max )binomial distribution, of mean tp max < w. We conclude that not enough test runs are corrupted to trigger an abort and the Client accepts the (correct) outcome of the computation.
We now focus on the case where w < tp min and show that the Client rejects the computation. The number of failed test runs is lower-bounded by a random variable following a (t, p min )-binomial distribution, of mean tp min . This number of failed tests is higher than the acceptable threshold and the Client therefore aborts. This is a case of false-positive since the outcome is still correct in this scenario.
Since the results for blindness, blindness, inputindependent verification and verifiability already integrate the noise in their analyses (as explained below, they consider the most general deviation, which includes noise), this new bound concerning local-correctness on noisy devices can also be used alongside these previous bounds using the Local-Reduction Theorem from [15], yielding in this case a value for = max {δ, cor } that may now depend on the noise level of the devices since cor > 0 (however, note that if δ > cor , then the noise has no impact on the total ).

Role of Noise Assumptions
As stated in the last section, our security proof does not rely on any assumption regarding a specific form or strength of the noise. On the contrary, it simply considers any deviation as potentially malicious and showed that the protocol would provide information theoretic verification and blindness of the computation.
The assumptions introduced in this section serve a different purpose: when the imperfections of the devices are light enough, we show that these will systematically correspond to attacks whose impact on the computation is error-correctable. The noise models include independent Pauli operators acting on qubits, but also more general operators that are independent between various runs, etc. As a consequence, under such mild restrictions, the computation will accept with high probability. The Client will hence not only get a security guarantee but also a performance guarantee in that it will obtain a result.
Consequently, there is no security risk in first probing the device to find out about the noise level and then using it to set the admissible ratio of failed test runs w/t to a compatible value. The value for w/t might even be adjusted between two executions of the full protocol to cope with drifting values of noise. An over-inflated value of w/t only results in superfluous repetitions and hence a longer running time for the protocol. Conversely, setting the value of w/t too low carries the risk of aborting most of the time and thus not being able to ever complete the computation, as is the case with previous protocols without error-correction capabilities.
Regarding the assumption that the noise maps between each run are independent, this can realistically be achieved in an experimental setup by simply waiting long enough between each run for all the states to decohere. This guarantees that no information about a previous run can seep in the next execution. This of course prolongs the duration of the experiment, but considering the low coherence time of quantum memories in the NISQ era (which is precisely the regime that this protocol targets), this overhead is not too prohibitive.

Link to Fault-Tolerance
We want to emphasize that our scheme does not rely on nor provide fault-tolerance. It is quite the opposite in that it decouples the error-correction scheme devoted to fault-tolerant computing from the one that ensures robust verification. More precisely, we define the perceived noise level as the average ratio of test runs that fail given a specific noise model. Given the importance of this parameter, it is legitimate to wonder how it can be optimized.
It is a global metric in the sense that it is obviously easier to attain a perceived noise level below our 1/4 threshold for a 2-qubit computation 2 than it is for a 100-qubit computation. This can be understood in the following way: the built-in error correction capability does not stop errors from propagating into the result, it only tries to recover the correct result from the noisy outcomes of each unprotected computational run. The other way around, a fault-tolerant scheme prevents error-propagation and would be useful in lowering the ratio of failed test runs in large computations and arrive at, for example, the 1/4 ratio of failed test runs required to perform the verified computation.
An advantage of this decoupling between fault-tolerant computation and robust verification is that, while faulttolerance is likely unavoidable for large computations on yet-to-be-created systems, near-term and sufficiently noiseless devices (at the physical level) will allow for verified intermediate-scale computations by using our scheme. This would be unreachable if performed in a fault-tolerant way due to large resource overheads.
V. DISCUSSION

Overhead Optimisation
Once the noise level p max has been determined and used to constrain w as explained in Section IV B, we can look at ways to optimize the resource overhead for robust verification in terms of excess number of runs compared to standard MBQC 3 .
The first obvious parameter influencing the overhead is the number k of different types of test runs. Higher values of k induce lower amounts of tolerated noise and a higher number of repetitions. In our scheme, k also corresponds to the number of colours in the graph colouring chosen by the Client on the Server's graph G. While the problem of finding an optimal (i.e. minimal) graph colouring is NP−Complete for general graphs, there exist efficient algorithms to compute approximately optimal graph colourings.
For any general graph, a greedy algorithm yields a kcolouring for k ≤ D(G) + 1, with D(G) being the maximum degree of G. Also note that most graphs used in MBQC are planar and the celebrated 4-Colour Theorem states that any planar graph is 4-colourable, hence bounding k by 4. Efficient algorithms to find such a colouring exist (quadratic in the number of vertices of the graph [25]) which would then be of practical interest in designing robust verifiable schemes. Furthermore, as k = 2 is the best possible value for our scheme and because it is efficient to check if a graph is bi-partite, the value k = 2 should be tested. Note that the brickwork graph (which is universal for quantum computations) and all dotted (edge-decorated) graphs are bipartite. In contrast, testing the case of a 3-colourable graph is NP−Complete, so for large planar graphs the Client may have to choose a 4-colouring instead at the expense of more repetitions of the protocol for attaining the same verification bound.
Once k is fixed, for targeted values of perceived noise level resistance, acceptance and failure probabilities, numerical optimizations can be used to determine the best values for the total number of runs n, the ratio of test runs t/n, and the ratio of test runs allowed to fail w/t using equation D5.

Link to Certification and Benchmarking
Finally, we want to point out a connection between certification and verification that stems directly from the presented protocol. As mentioned in the introduction, two broad strategies can be pursued when one wants to give guarantees with respect to a device sold to clients.
On one hand, the provider and the device can be certified by a trusted third party and the provider commits to manufacture the device that has been certified. The commitment is enforced not by design but legally. This is often chosen for efficiency reasons: the certification is done once and in case of widespread services or devices, the cost (in time, money, effort) to certify it is absorbed into the volume of service or devices provided. Another reason for choosing this form of certification is that it offers a natural way to cope with imperfect devices. Most devices are certified to within some acceptable range of performance describing its nominal behaviour.
This however has caveats, as recent years have proven. For the commitment to be effective, there needs to be a reasonable chance to catch deviations from the certified behaviour which supposes in turn that devices are prevented from sensing whether they are being tested or not. 4 On the other hand, the provider can chose to opt for a verifiable device (or service). In that case the security is better as there is no commitment required, only factbased trust dependent on a series of tests. The trouble with such strategy is -or rather was up to now -its high overhead in the context of quantum computing, making it inaccessible and extremely expensive in any foreseeable future.
Our results show that for certain classes of computations this does not need to be the case. In fact, the best of both world can be combined. Test runs are indeed probing whether our device and computation is abiding by some certification standards expressed in terms of an ef-fective noise level. This is done continuously through the computation in order to prevent the device from adapting its behaviour. Since the computation is blind, even a fully malicious adversary cannot successfully fool the protocol. So in effect, blindness allows to combine computation and certification to arrive at verification, retaining the efficiency and imperfection tolerance of certification while keeping the unconditional security of verified schemes. While this is clearly more expensive than simple certification, this overhead should be acceptable for a wide range of practical situations. A natural open question, that we leave for further research, is whether this strategy can be extended to other protocols and if there are situations where other schemes are more efficient.

VI. CONCLUSION
We have presented above a protocol that is the first of its kind with respect to its ability to withstand noise while allowing to successfully execute computations in an unconditional verifiable way with relatively modest overhead. These capabilities are made possible thanks to the nature of the computation, its deterministic classical output combined with a classical repetition code favourably replacing more resource-demanding fault-tolerant constructions. The obtained error-correction capability can then be used to tolerate noise while having the computation perform correctly.
The following definitions and lemmata are useful tools for our proof.
Definition 1 (Hypergeometric distribution [26]). Let N, K, n ∈ N with 0 ≤ n, K ≤ N . A random variable X is said to follow the hypergeometric distribution, denoted as X ∼ Hypergeometric(N, K, n), if its probability mass function is described by As one possible interpretation, X describes the number of drawn marked items when drawing n items from a set of size N containing K marked items, without replacement.
Lemma 2 (Tail bound for the hypergeometric distribution [26]). Let X ∼ Hypergeometric(N, K, n) be a random variable and 0 < t < K/N . It then holds that Corollary 1. Let X ∼ Hypergeometric(N, K, n) be a random variable and 0 < λ < nK N . It then holds that Lemma 3 (Serfling's bound for the hypergeometric distribution [27,28]). Let X ∼ Hypergeometric(N, K, n) be a random variable and λ > 0. It then holds that Corollary 2. Let X ∼ Hypergeometric(N, K, n) be a random variable and λ > nK N . It then holds that Note the symmetry of Corollary 1 and Corollary 2.
Lemma 4 (Hoeffding's inequality for the binomial distribution). Let X ∼ Binomial(n, p) be a random variable. For any k ≤ np it then holds that Similarly, for any k ≥ np it holds that

Appendix B: Formal Security Definitions
We model N -round two party protocols between players A (the honest Client) and B (the potentially dishonest Server) as a succession of 2N -CPTP maps {E i } i∈ [1,N ] and {F j } j∈ [1,N ] . The maps {E i } i act on A, A's register, and C, a shared communication register between A and B. Similarly, the maps {F j } j act on B and C. Note that B and the maps {F j } j can be chosen arbitrarily by B and thus, unless B is specified to be behaving honestly, there is no guarantee that they are those implied by our protocol. Since we are only interested in protocols where A is providing a classical input x, we will equivalently write the input as the corresponding computational basis state |x used to initialize A, whereas B and C are initialized in a fixed state |0 .
Below, we denote by ∆(ρ, σ) = 1 2 ρ − σ , the distance on the set of density matrices induced by the trace norm ρ = Tr ρ † ρ. We first define S the ideal resource for verifiable delegated quantum computation and then the local-properties from [15].
a. Ideal Resource for Verifiable Delegated Quantum Computation. The ideal resource S has interfaces for two parties, A and B. The A-interface takes two inputs: a classical input string x and the description of U, the computation to perform. The B-interface is filtered by a bit b. When b = 0, there is no further legitimate input from B, while for b = 1, it is allowed to send a bit c that determines the output of the computation available at A's interface. When b = 0 or c = 0, the output at A's interface is equal to M Comp • U(|x ), where M Comp is the computational basis measurement. This corresponds to a "no cheating" behaviour. When c = 1, B decided to cheat and A receives the Abort message which can be given as a quantum state of A which is taken orthogonal to any other possible output state. At B's interface, S outputs nothing for b = 0 while for b = 1, B receives l(U, x), the permitted leakage. For generic MBQC computations, the permitted leakage is set to G, the graph used in the computation. When G is a universal graph for MBQC computation, the permitted leakage reduces to an upper-bound on the size of the computation #U.
For this ideal resource, the blindness is an immediate consequence of the server receiving at most the permitted leak, while verifiability is a consequence of the computation being correct when the server is not cheating while being aborted otherwise.
b. cor -Local-Correctness. Let P AB be a two-party protocol as defined above with the honest CPTP maps for players A and B. We say that such a protocol implementing U is cor -locally-correct if for all possible inputs x for A we have: c. bl -Local-Blindness. Let P AB be a two-party protocol as defined above, and where the maps {E i } i are the honest maps. We say that such protocol is bl -locallyblind if, for each choice of {F i } i there exists a CPTP map F : L(B) → L(B) such that, for all inputs x for A, we have: Let P AB be a verifiable 2-party protocol as defined above, where the maps {E i } i are the honest maps. LetB be a qubit extending B's register and initialized in |0 . Let Q AB : L(A ⊗B) → L(A ⊗B) be a CPTP map which, conditioned on A containing the state |Abort , switches the state inB from |0 to |1 and does nothing in the other cases.
We say that such a protocol's verification procedure is ind -independent from player A's input if there exists CPTP maps F i : L(C ⊗ B ⊗B) → L(C ⊗ B ⊗B) such that: . ver -Local-Verifiability. Let P AB be 2-party protocols as defined above where the maps for A are the honest maps, while the maps {F j } j for B are not necessarily corresponding to the ideal (honest) ones. Let x be the input given by A in the form of a computational state |x and U the computation it wants to perform. The protocols P AB are ver -locally-verifiable for A if for each choice of CPTP maps {F j } j , there exists p ∈ [0, 1] such that we have: ∆ tr B P AB (|x ), pU(|x ) + (1 − p) |Abort Abort|) ≤ ver Proof. To prove that Equation B2 holds for bl = 0, first note that at the end of our protocol, the Client A reveals to the Server B whether the computation was accepted or aborted. Hence, each case can be analyzed separately. Second, we show that the interrupted runs that have triggered a Redo can be safely ignored. Indeed, each one of them is the begining of an interrupted UBQC computation, and, because UBQC is composable and perfectly blind [15], no information can leak to the Server through the transmitted qubits. In addition, our protocol restricts the honest party A in its ability to emit Redo requests, so that no correlations are created between the index of the interrupted runs and U or the secret random parameters used in the runs (angle and measurement padding, and trap preparations). As a consequence, from the point of view of B, the state of the interrupted runs is completely independent of the state of the non-interrupted ones and does not contain information regarding the input, computation or secret parameters. That is, its partial trace over A can be generated by B alone.
For the non-interrupted runs, we can invoke the same kind independence argument between the computation runs and the test runs. As a result blindness of our protocol stems from the blindness of the underlying computation runs. In case the full protocol is a success, we can rely on the composability of the perfect blindness of each UBQC computation run to have perfect local-blindness. For an abort, we can consider a situation that is more advantageous for B by supposing that alongside the Abort message sent by A, it also gives away the location of the trap qubits. In this modified situation, the knowledge of the computation being aborted does not bring additional information to B as it only reveals that one of the attacked position was a trap qubit, which B now already knows. Using our independence argument between trap location on the one hand and the inputs, computation and other secret parameters, we conclude that revealing the location of the trap qubits does not affect the blindness of the computation runs. Hence, using composability again and combining the abort and accept cases, we arrive at Equation B2 with bl = 0.

Appendix D: Proof of Verifiability
Proof of Lemma 1. We will take a direct approach for proving Lemma 1 by bounding the probability of yielding a wrong output while not aborting. To do so, we consider the state of the combined computation as if it was a single verified computation and not made of separate sequential runs. Once again, in our protocol, because the parties can only ask for redoing a run independently of the input, computation, used randomness and of the output of the computation itself (comprising the result of trap measurements), interrupted runs can be safely ignored in the verification analysis as the state corresponding to these runs is uncorrelated to that of the completed runs. The combined computation view will be useful as we want to consider the Server B performing any kind of attack. In particular, it could decide to perform some action on a qubit given measurements in one or several of the underlying runs, or to entangle the various underlying runs together. Yet, for each qubit of the combined computation, we will continue to refer to the underlying run this qubit would belong to if the computation was done using sequential runs.
a. Output of the combined computation. We first consider the density operator B({F j } j , ν) that corresponds to the classical messages the Client A receives during its interaction with B, comprising the final message containing the encrypted measurement outcomes. Below, the CPTP maps {F j } j represent the chosen behavior of B and possibly act on the combined computation as a whole, and not only run by run. By representing the classical messages as quantum states in the computational basis, we can always write: where b is the list of measurement outcomes defining the computation branch; ν is a composite index relative to the secret parameters chosen by A, i.e. the type of each underlying run, the padding of the measurement angles and measurements outcomes and the trap setup; |b + c r b| ensures that only the part corresponding to the current computation branch is taken into account and removes the One-Time-Pad encryption on non-output and non-trap qubits while leaving output and trap qubits unaffected, i.e. encrypted; |0 0| B is some internal register for B in a fixed initial state; and Ψ ν,b is the state of the qubits sent by A to B at the beginning of the protocol tensored with quantum states representing the measurement angles of the computation branch b.
To obtain this result, we can follow the line of proof of [5] and [21] applied to the combined computation. This works by noting that for a given computation branch b and given random parameters ν, all the measurement angles are fully determined. Therefore, provided that the computation branch is b, we can include the measurement angles into the initial state. This defines Ψ ν,b . Then, each F j is decomposed into an honest part and a pure deviation. All the deviations are commuted and collected into F applied after P, the unitary part of honest protocol, is applied. The projections onto |b then ensures that after the deviation induced by B the perceived computation branch is b. This, together with the decrypting of non-output non-trap qubits, gives Equation D1.
b. Probability of failure. A failure for the combined computation occurs when the result after the majority vote is incorrect while the computation is accepted.
The combined computation being deterministic, we can define P ⊥ , the projector onto the subspace of incorrect states for the output qubits before the majority vote. Yet, for the combined computation to be accepted, no more than w test runs have a trap qubit measurement outcome opposite to what was expected. Let T denote the set of trap qubits which is determined by T , the set of test runs, and the type of each test run. In absence of any deviation on the combined computation, their expected value is |r T = t∈T |r t where r T = (r t ) t∈T denotes the measurement outcome padding values restricted to trap qubits. Therefore, the projector onto the states of the trap qubits yielding to an accepted combined computation can be written as w∈W X w T |r T r T | X w T with X w T = t∈T X wt t , and where W is the set of length |T| binary vectors w that have at least a one in no more than w underlying (test) runs. Combining the projector onto incorrect output and the one for accepted computation, we obtain the probability of failure: where F has been decomposed into Kraus operators indexed by k, that were in turn decomposed onto the Pauli basis through the coefficients α kσ and α kσ . Consequently, σ and σ are Pauli matrices. c. Necessary condition for failure. The difficulty with the above expression for the probability of failure consists in determining the exact form of P ⊥ and manipulating it. Instead, we will derive a coarse necessary condition for the final state of the non-trap qubits to be in the subspace defined by P ⊥ . Then, we will upper bound Pr(fail) by evaluating the probability of satisfying our necessary condition while accepting the whole computation.
First, note that the output of the computation being classical and deterministic, we can write the correct decrypted output state as |s O s O | for some length |O| binary vector s O over the set of output qubit positions O of the combined computation. Next, as for the trap qubits, the value sent to the Client is One-Time-Padded by the value of the random parameter r O to preserve blindness of the Server (i.e. c r is 0 for output qubits). Hence, the state of the output qubits received by the Client in absence of deviation is Now, because the result of the computation is the majority vote of the measurement outcomes for the output qubit for each underlying computation run, each result bit is protected by a length d repetition code. All attacks resulting in less than d/2 non-trivially affected underlying computational runs will be corrected. Conversely, for a failure to happen, it is necessary that at least d/2 underlying computation runs are non-trivially affected by the attack Ω. This means that the subspace stabilized by P ⊥ is also stabilized by the coarser projection oper- where V is the set of binary vectors over O with at least one non zero position in at least d/2 underlying (computational) runs. As a consequence, the latter projector can be used to replace P ⊥ which yields an upper bound on Pr(fail): where b is the binary vector obtained from b by restricting it to non-output, non-trap qubits (i.
The above equation is obtained from the simple equality since c r = 0 for output and trap qubits, and the circularity of the trace.
d. Using blindness of the scheme. The design of the protocol yielding the combined computation ensures blindness. This implies that the resulting state of any set of qubits after applying P and taking the average over their possible random preparations parameters is a completely mixed state. This can be applied in the above equation for the set of non-output and non-trap qubits. For output and trap qubits, we need first to compute inner products before taking the sum over their random preparation parameters ν O and ν T respectively. However, we know that the perfect protocol produces the traps in their expected states |s o + r o and |r t . This gives, using the circularity of the trace: Since the Pauli matrices are traceless, this imposes σ l = σ l for l / ∈ O ∪ T, where subscript l is used to select the action of σ and σ on qubit l. For the output qubits, vanishes for σ o = σ o and similarly for the traps, rt r t | X wt t σ t |r t r t | σ t X wt t |r t vanishes for σ t = σ t .
e. Worst case scenario (for the upper-bound). The worst case scenario corresponds to maximizing the bound on Pr(fail). Since we have k,σ |α kσ | 2 = 1, our bound is worst when α kσ = 1 for σ such that f (σ) is maximum. In this case we get: f. Simplified expression for the bound. Given our protocol, a global trap and output qubit configuration ν O , ν T is defined by (i) the set T of trap qubits, itself entirely determined by the position and kind of test runs within the sequence of runs, and (ii) the preparation parameters θ l and r l of each trap and output qubits. Each parameter of (i) and (ii) being chosen independently, the probability of a given configuration ν O , ν T can be decomposed into the probability Pr(T) for a given configuration of trap locations multiplied by the probability of a given configuration for the prepared state of the trap and output qubits, l∈O∪T θ l ,r l Pr(θ l , r l ). Using this, one can rewrite f (σ): Pr(θ t , r t )| r t | X wt t σ t |r t | 2 Now, let σ be a maximizing attack and denote by σ |X the binary vector indexed by qubit positions of the combined computation where ones mark qubit positions for which σ acts as X or Y . In the following, we allow O to also denote the binary vector over qubit positions of the combined computation where ones are positioned for qubits in O, and similarly for T. Using the fact that Where, for a and b binary vectors, a.b is the bit-wise binary product vector. We obtain a similar expression for the trap qubits. Inserting these expressions in Equation D2 we obtain that for the attack to be successful, it must affect in a non-trivial way at least d/2 computation runs, and at most w test runs. The probability of failure can thus be rewritten as: where Υ σ are configurations where the binary vector σ |X has ones in at most w test runs and has ones on at least d/2 computation runs. g. Closed form upper bound. Now, assume that the maximum above is attained for some σ that happen to affect one of the run, say k, on more than one qubit. Consider σ with the sole difference to σ that only one of the qubits in run k is affected by the attack. Because run k is still non trivially affected by σ and σ , we conclude that all configurations T in Υ σ are also in Υ σ . Therefore where E m denotes the set of Pauli operators with m single qubit deviations all in distinct runs. Note that the parameter m and the locations of the attacks within each run describe the adversary's strategy. Additionally, since the random choice of test runs is completely uniform, the term T ∈Υσ Pr(T ) is invariant under permutations of the test and computation runs. We can hence restrict the range of the maximum to the specific Pauli operators σ m with a deviation on a single qubit in each of the first m runs:

Pr(T ). (D3)
Formal bound. To find a closed form upper bound for the right-hand side of Equation D3 we distinguish two regimes (see Figure 3): 1. For m ≥ 1 2 − ϕ n with some (small) ϕ > 0, we upper the right-hand side with the probability that σ m triggers not more than w traps, thus ignoring the condition that σ m affects more than d/2 computation runs. This again is done in two steps: (a) Find a lower bound (with high probability) on the number of affected test runs.  FIG. 3. The four cases needed to determine a closed form upper bound for the probabiliity of failure. First, we determine the probability for the number of affected computation runs. If it is low enough (Z < d/2), no need to abort. If it is high (Z ≥ d/2), we find a bound on the probability that the number of failed test runs Y is below or above w.
(b) Use this number to find a lower bound on the number of triggered traps.
2. For m ≤ 1 2 − ϕ n, we show an upper bound on the probability that σ m manages to affect at least d/2 computation runs, then ignoring the condition that σ m affects less than w traps. test run fails is therefore upper-bounded by p max . Let Y 1 be a random variable following a (t, p max )-binomial distribution. Since we suppose that the noise is not correlated across runs, Y is upper-bounded byŶ 1 in the usual stochastic order: Pr [Y < w] ≥ Pr Ŷ 1 < w = 1 − Pr Ŷ 1 > w Further, since E Ŷ 1 = tp max < w, applying Lemma 4 yields: Combining these inequalities gives: For ω < p min . In that case, we have that w < tp min . We show that the probability of accepting is upper-bounded by a negligible function. LetŶ 2 be a random variable following a (t, p min )-binomial distribution, Y then is lower-bounded byŶ 2 in the usual stochastic order: Pr [Y < w] ≤ Pr Ŷ 2 < w Since w < tp min , using Lemma 4 directly and the same simplifications as above, we get: Pr Ŷ 2 < w ≤ exp −2(p min − ω) 2 τ n = Y,2 Therefore Pr [Ok] ≤ Y,2 ∈ negl(n).