Certified Quantum Computation in Isabelle/HOL

Abstract

In this article we present an ongoing effort to formalise quantum algorithms and results in quantum information theory using the proof assistant Isabelle/HOL. Formal methods being critical for the safety and security of algorithms and protocols, we foresee their widespread use for quantum computing in the future. We have developed a large library for quantum computing in Isabelle based on a matrix representation for quantum circuits, successfully formalising the no-cloning theorem, quantum teleportation, Deutsch’s algorithm, the Deutsch–Jozsa algorithm and the quantum Prisoner’s Dilemma. We discuss the design choices made and report on an outcome of our work in the field of quantum game theory.

1 Introduction

On January 4th 2017 the computer scientist László Babai retracted a claim he made in a preprint¹ after the mathematician Andrés Helfgott spotted an error in his work. Back in 2015, Babai’s result, dealing with the so-called graph isomorphism problem, a central problem in the field of computer algorithms, was dubbed “the theoretical computer science advance of the decade”. In the meantime Helfgott had spent months reviewing Babai’s algorithm in preparation for a talk at the Bourbaki seminar to report on Babai’s major result. On January 9th 2017 in a new (last?) unexpected twist, Babai announced a fix for his error and he restored his claim. It seems that Helfgott is confident that the fix is correct, but Babai’s paper is still unpublished as of September 23, 2020.

This story exemplifies the difficulty making sure that an algorithm obeys its specification. This challenge might be even harder with respect to quantum algorithms, since our intuition weakens when one moves from the classical world to the quantum realm. Fortunately, formal methods can help with the task of certifying that a quantum algorithm obeys its specification. Recent work in that direction include the formalisation of Grover’s algorithm in Isabelle by Liu et al. [1]. However, for their formalisation of Grover’s algorithm the authors use a tailored quantum Hoare logic. One should also mention the QWIRE project by Rand et al. [2] for quantum circuits, although the authors use a different approach since their work is an embedding of the QWIRE quantum circuit language in the proof assistant Coq to formally prove properties of those circuits. The closest to the present work is the work of Boender et al. [3] which culminates in the formalisation of the quantum teleportation protocol using the proof assistant Coq, this algorithm becoming the de facto benchmark in the field. This benchmark is successfully reached and surpassed in our work.

In this paper we present a large formalisation of results in quantum computation and quantum information theory developed in the proof assistant Isabelle. Our library² includes the quantum teleportation protocol, the no-cloning theorem, Deutsch’s algorithm, the Deutsch–Jozsa algorithm and the quantum Prisoner’s Dilemma. To the best of our knowledge a formalisation of these last four classic results has never been done before. We start with the basics of quantum computing in Sects. 2, 3 and 4 . We then introduce the aforementioned results formalised in the library in Sect. 5. Throughout the article we discuss the design choices made. Finally, we outline an unexpected outcome of our formalisation in Sect. 5.4.

2 Qubits and Quantum States

In the classical model of computation the bit is the fundamental unit of information. There are two classical states for a bit, namely 0 and 1. In quantum computing the bit is superseded by the quantum bit, the so-called qubit, which becomes the fundamental unit of information. In the same way, any qubit has a (quantum) state, but the situation is more involved.

For the sake of simplicity, let us start with a 1-qubit system. In that case, the quantum state of our qubit is a normalised vector in a 2-dimensional complex vector space. Using the Dirac notation introduced in quantum mechanics, a column vector in that space is denoted by \(|\psi \rangle \), where \(\psi \) is a mere label, and the vector \(|\psi \rangle \) is called a ket. In that context the two elements of the computational basis, namely

$$\begin{aligned} \begin{pmatrix} 1 \\ 0 \end{pmatrix} \;, \begin{pmatrix} 0 \\ 1 \end{pmatrix}\;, \end{aligned}$$

are denoted by \(|0\rangle \) and \(|1\rangle \), respectively. Actually, the label for the nth element of the computational basis corresponds to the binary expression of n, hence \(|0\rangle \) should not be confused with the zero vector, namely

$$\begin{aligned} \begin{pmatrix} 0 \\ 0 \end{pmatrix} \;. \end{aligned}$$

The zero vector being not normalised, it is not a quantum state.

So, in the computational basis a state of our qubit is a linear combination \(\alpha _0\, |0\rangle + \alpha _1\, |1\rangle \) such that \(\alpha _0\) and \(\alpha _1\) are complex numbers satisfying the normalisation constraint

$$\begin{aligned} \vert \alpha _0|^2 + |\alpha _1 |^2 = 1. \end{aligned}$$

In the quantum world, the coefficients \(\alpha _0\) and \(\alpha _1\) are called amplitudes, and one sometimes uses the word superposition instead of the phrase linear combination.

For a 2-qubit system the state of a qubit becomes a normalised vector in a 4-dimensional complex vector space. If \(|00\rangle , |01\rangle , |10\rangle , |11\rangle \) denote the elements of the computational basis, then such a state is a superposition

$$\begin{aligned} \alpha _{00}\, |00\rangle + \alpha _{01}\, |01\rangle + \alpha _{10}\, |10\rangle + \alpha _{11}\, |11\rangle \;, \end{aligned}$$

with \(|\alpha _{00} |^2 + |\alpha _{01} |^2 + |\alpha _{10}|^2 + |\alpha _{11}|^2 = 1\).

In order to model the quantum states of qubits we exploit Isabelle’s system module for dealing with a hierarchy of parametric theories, the so-called locales [4]. In our library the locale state provides the context for talking about the quantum states of a n-qubit system (Fig. 1).

Fig. 1

The locale state in Quantum.thy

In this locale v is a complex matrix, but the condition is_column ensures it is a column matrix, i.e. a column vector. We choose to model quantum states by column matrices instead of vectors, since this design choice will come in handy when applying quantum gates to quantum states (more on that later). The condition dim_row relates to the dimension of the ambient vector space and the condition is_normal provides the normalisation constraint. We also introduce the corresponding set of quantum states of a given dimension, where this time we can directly use complex vectors (Fig. 2).

Fig. 2

The definition of the set state_qbit in Quantum.thy

Of course, given the context provided by the locale state we can prove that v (or rather the first column of v) belongs to state_qbit n.

One can also go the other way around, i.e. from vectors to column matrices. We take this opportunity to introduce in our library Dirac’s ket notation, since Isabelle allows some syntactic sugar (Fig. 3).

Fig. 3

Dirac’s ket notation

In our library we implicitly work in the computational basis, hence the amplitudes have to be understood accordingly.

3 Quantum Gates

Like their classical counterparts, quantum gates are used to manipulate information. More exactly, quantum gates are ways of manipulating the quantum states of qubits. Usually there are two kinds of representations for quantum gates, namely circuit representations and matrix representations. Since it is not possible to directly work in Isabelle with circuits, we choose in that context the more convenient matrix representations. In this process we take advantage of the nice library for matrices developed by Thiemann and Yamada [5]. Then, a quantum state \(|\psi \rangle \) being in particular a column matrix, the action of a quantum gate U on \(|\psi \rangle \) is simply given by the matrix multiplication \(U \,|\psi \rangle \), denoted \(U \,^*\, |\psi \rangle \) in Isabelle.

However, not every matrix is a quantum gate. Quantum gates belong to a specific class of complex matrices. Actually, given a n-qubit system the quantum gates are exactly the \(2^n\times 2^n\) matrices that are unitary. In order to explain what unitary means, we need to introduce the Hermitian conjugate of a complex matrix. Let U be a complex matrix, its Hermitian conjugate \(U^\dagger \) is the complex conjugate of its transpose, namely \((U^t)^*\). In different contexts people use different notations for the Hermitian conjugate, but the dagger operator is commonly used in quantum mechanics, and we keep this notation in the library. A complex square matrix U is said to be unitary if \(U^\dagger \,U = U\, U^\dagger = I\), i.e. if its inverse is given by its Hermitian conjugate (Fig. 4).

Fig. 4

The definitions of the Hermitian conjugate of a matrix and the unitary predicate, respectively (see Quantum.thy)

In Isabelle we encapsulate the definition of a quantum gate inside a dedicated locale (Fig. 5).

Fig. 5

The locale gate in Quantum.thy

What is the idea behind unitarity? Unitary matrices are length-preserving. One has \(\Vert U \, |v\rangle \Vert = \Vert |v\rangle \Vert \) for every unitary matrix U and every ket \(|v\rangle \) such that their multiplication is well defined. Given the normalisation constraint in quantum states, it is no wonder quantum gates should be unitary matrices (Figs. 6 and 7).

Fig. 6

The statement and the proof that unitary matrices preserve length

Actually, unitary matrices are the only matrices that preserve length. To prove this result one needs the following key lemma.

$$\begin{aligned} (M\,|\psi \rangle )^\dagger = \langle \psi |\,M^\dagger , \end{aligned}$$

where \(\langle \psi |\) is Dirac’s bra notation, namely if \(|\psi \rangle \) is the column vector

$$\begin{aligned} \begin{pmatrix}a_1 \\ \vdots \\ a_{2^n} \end{pmatrix}, \end{aligned}$$

then its bra is the corresponding row vector with conjugate coefficients

$$\begin{aligned} \begin{pmatrix} a_1^* \cdots a_{2^n}^* \end{pmatrix}. \end{aligned}$$

Fig. 7

A key lemma to prove that length-preserving matrices are unitary

Using this lemma and the many results on the dagger operator and unitary matrices provided in the library, one can eventually prove that length-preserving matrices are unitary (Fig. 8).

Fig. 8

Length-preserving matrices are unitary

Now, we introduce our first quantum gate, namely the Hadamard gate H (Fig. 9). It is a single-qubit gate, i.e. a \(2 \times 2\) unitary matrix,

$$\begin{aligned} H = \frac{1}{\sqrt{2}} \begin{pmatrix} 1 &{} 1 \\ 1 &{} -1 \end{pmatrix}. \end{aligned}$$

Fig. 9

The definition of the Hadamard gate in Quantum.thy

One can easily check that H is unitary and self-adjoint, i.e. \(H^\dagger = H\) (Fig. 10).

Fig. 10

The formal proof in Isabelle that H is a gate and is self-adjoint

The action of H on the basis elements is given as follows.

$$\begin{aligned} |0\rangle \mapsto \frac{1}{\sqrt{2}} \,(|0\rangle + |1\rangle ) \\ |1\rangle \mapsto \frac{1}{\sqrt{2}} \,(|0\rangle - |1\rangle ) \end{aligned}$$

As a consequence, H maps a state \(\alpha _0\,|0\rangle + \alpha _1\,|1\rangle \) to \(\frac{\alpha _0 + \alpha _1}{\sqrt{2}}\,|0\rangle + \frac{\alpha _0 - \alpha _1}{\sqrt{2}}\,|1\rangle \).

Since H creates a superposition, it is truly a quantum gate. Maybe somewhat puzzling for the beginner is the fact that H is sometimes described as a “square-root of NOT” gate. One simply means that it turns \(|0\rangle \) (resp. \(|1\rangle \)) into \(\frac{1}{\sqrt{2}} \,(|0\rangle + |1\rangle )\) (resp. \(\frac{1}{\sqrt{2}} \,(|0\rangle - |1\rangle )\)), so “halfway” between \(|0\rangle \) and \(|1\rangle \).

Before introducing our first example of a 2-qubit gate, we need to say a few words on the initial states of a 2-qubit system. Actually, such states are given by the tensor product of the states of each qubit. For instance, if the first qubit is in the initial state and the second one is in the initial state , then the initial state of the combined system is

Now, an interesting 2-qubit quantum gate is the controlled-NOT gate (cNOT). Its matrix representation is given by

$$\begin{aligned} cNOT = \begin{pmatrix} 1 &{} 0 &{} 0 &{} 0 \\ 0 &{} 1 &{} 0 &{} 0 \\ 0 &{} 0 &{} 0 &{} 1 \\ 0 &{} 0 &{} 1 &{} 0 \end{pmatrix}, \end{aligned}$$

and one easily checks that the cNOT gate is unitary and it is again self-adjoint (Fig. 11).

Fig. 11

The formal proof that cNOT is a 2-qubit gate

The cNOT gate maps the basis elements \(|00\rangle , |01\rangle , |10\rangle , |11\rangle \) to \(|00\rangle , |01\rangle , |11\rangle , |10\rangle \), respectively. In other words, the cNOT gate flips the second qubit (the so-called target qubit) if the first qubit (the so-called control qubit) is 1 and does nothing otherwise. One summarizes the action of the cNOT gate with the following handy piece of notation

$$\begin{aligned} |xy\rangle \mapsto |x\;x\oplus y\rangle , \end{aligned}$$

where \(\oplus \) denotes the addition modulo 2.

The cNOT gate can be used to perform non-classical computations. For instance, starting with the \(|00\rangle \) state and applying a Hadamard gate to the first qubit followed by a cNOT gate, one creates the state \(\frac{1}{\sqrt{2}}\,(|00\rangle + |11\rangle )\), which is a highly non-classical state, a so-called Bell’s state (more on that later).

To put everything together, let us assume that we have a 3-qubit system. Moreover, assume that we want to apply an Hadamard gate to the first qubit and a cNOT gate to the second and third qubits. The initial state of the combined system is given by \(|x\rangle \otimes |y\rangle \otimes |z\rangle \) which is a 8-dimensional column vector with \(|x\rangle \) (resp. \(|y\rangle \), \(|z\rangle \)) denoting the initial state of the first (resp. second, third) qubit. Since the tensor product is associative, we omit the parentheses in \(|x\rangle \otimes |y\rangle \otimes |z\rangle \). Then one can sum up the two gate applications using only one \(8\times 8\) matrix, namely \(H \otimes cNOT\), where \(\otimes \) denotes the Kronecker product between two matrices. With this in mind we needed to formalize the Kronecker product in our library and proved that the Kronecker product of two gates is a gate as shown in the snippet of code above. This essentially amounts to proving that the Kronecker product of two unitary matrices is a unitary matrix (Fig. 12).

Fig. 12

The Kronecker product of two quantum gates is a quantum gate (see More_Tensor.thy)

At that point we faced a design choice connected to the important issue of legacy code in formal mathematics. Indeed, there is already a formalisation of the Kronecker product in [6] but for a legacy notion of matrix which is not the one developed in [5] and used in our library. So, we could either restart the formalisation of the Kronecker product from scratch or we could build a bridge between the two formalisations of matrices available and reuse as much as possible the code in [6]. We chose the latter, using the code available as a convenient scaffolding (cf. our theory Tensor.thy). This choice may ease in the future the reuse of formalisations based on legacy matrices.

We come back to the state \(\frac{1}{\sqrt{2}}\,(|00\rangle + |11\rangle )\) obtained as the result of the application of the Hadamard gate followed by the cNOT gate to the state \(|00\rangle \). Actually, this state is part of a set of four states known as the Bell’s states (Fig. 13) or sometimes the EPR states (EPR stands for Einstein, Podolsky and Rosen):

$$\begin{aligned} |\beta _{00}\rangle= & {} \frac{1}{\sqrt{2}}\,(|00\rangle + |11\rangle ) \\ |\beta _{01}\rangle= & {} \frac{1}{\sqrt{2}}\,(|01\rangle + |10\rangle ) \\ |\beta _{10}\rangle= & {} \frac{1}{\sqrt{2}}\,(|00\rangle - |11\rangle ) \\ |\beta _{11}\rangle= & {} \frac{1}{\sqrt{2}}\,(|01\rangle - |10\rangle )\;. \end{aligned}$$

Fig. 13

The Bell’s states (see Quantum.thy)

The peculiarity of these states resides in the fact that they cannot be written as the tensor product of two 1-qubit states. These states are said to be entangled. Entanglement, one of the key concepts in quantum mechanics, is simply the fact that not every state is a tensor product of smaller states (Fig. 14).

Fig. 14

The property of being entangled (see Entanglement.thy)

In the case of the Bell’s state \(|\beta _{00}\rangle \) for instance it is very easy to prove that it cannot be written as \((\alpha _{0}|0\rangle + \alpha _{1}|1\rangle ) \otimes (\alpha _{0}'|0\rangle + \alpha _{1}'|1\rangle )\) using the distributivity of the tensor product (Fig. 15).

Fig. 15

The proof that \(|\beta _{00}\rangle \) is entangled (see Entanglement.thy)

Finally, in the library many other quantum gates are introduced like the Pauli matrices X, Y and Z, the phase gate S, the T gate³.

4 Measurements

Given a n-qubit system, the state of a qubit involves \(2^n\) amplitudes linked by a normalisation constraint. Can we determine those amplitudes? For instance take \(n=1\), a quantum state has the form \(\alpha _0 |0\rangle + \alpha _1 |1\rangle \) with \(|\alpha _0 |^2 + \vert \alpha _1 |^2 = 1\). Can we determine \(\alpha _0\) and \(\alpha _1\)? The answer is no. A quantum state cannot be directly observed and the amplitudes cannot be directly determined.

Actually, the outcome of any measurement of our qubit through an apparatus is a classical bit of information. Moreover, the measurement will disturb the state of the qubit. Indeed, the outcome will be either 0 with probability \(|\alpha _0 |^2\) or 1 with probability \(|\alpha _1 |^2\). The sum of the probabilities should be 1, hence the normalisation constraint of quantum states. Moreover, if the outcome happens to be 0 (resp. 1), then the post-measurement state is \(|0\rangle \) (resp. \(|1\rangle \)) and the amplitudes vanish.

The generalisation to a multiple qubits system is straightforward. For a system of two qubits, assuming the state of our system is

$$\begin{aligned} \alpha _{00} |00\rangle + \alpha _{01} |01\rangle + \alpha _{10} |10\rangle + \alpha _{11} |11\rangle \;, \end{aligned}$$

one has

$$\begin{aligned} pr(00)= & {} |\alpha _{00} |^2 \\ pr(01)= & {} |\alpha _{01} |^2 \\ pr(10)= & {} |\alpha _{10} |^2 \\ pr(11)= & {} |\alpha _{11} |^2, \end{aligned}$$

where pr(00) (resp. pr(01), pr(10), pr(11)) denotes the probability of the outcome being 0 for both qubits (resp. 0 for the first one and 1 for the second one, 1 for the first one and 0 for the second one, 1 for both qubits), and the post-measurement state is \(|00\rangle \) (resp. \(|01\rangle \), \(|10\rangle \), \(|11\rangle \)).

Now, what does happen if one has a 2-qubit system and one makes a partial measurement, i.e. one measures the first qubit for instance (but not the second one)? What are the probabilities pr(0) and pr(1) of the outcome being 0 and 1, respectively? One has

$$\begin{aligned} pr(0)= & {} pr(00) + pr(01) = |\alpha _{00}|^2 + |\alpha _{01} |^2 \\ pr(1)= & {} pr(10) + pr(11) = |\alpha _{10}|^2 + |\alpha _{11}|^2. \end{aligned}$$

In other words, we sum over the probabilities of measuring the whole system and getting 0 (resp. 1) for the first qubit. What is the post-measurement state of the system? To get the answer we first rewrite

$$\begin{aligned} \alpha _{00} |00\rangle + \alpha _{01} |01\rangle + \alpha _{10} |10\rangle + \alpha _{11} |11\rangle \end{aligned}$$

as

$$\begin{aligned} |0\rangle \otimes (\alpha _{00} |0\rangle + \alpha _{01} |1\rangle ) + |1\rangle \otimes (\alpha _{10} |0\rangle + \alpha _{11} |1\rangle ). \end{aligned}$$

If the outcome of measuring only the first qubit happens to be 0 (resp. 1), then the post-measurement state of the system is

$$\begin{aligned} |0\rangle \otimes \frac{\alpha _{00} |0\rangle + \alpha _{01} |1\rangle }{\sqrt{|\alpha _{00} |^2 + |\alpha _{01} |^2}} \quad ( resp. \ |1\rangle \otimes \frac{\alpha _{10} |0\rangle + \alpha _{11} |1\rangle }{\sqrt{|\alpha _{10} |^2 + |\alpha _{11} |^2}})\,. \end{aligned}$$

In particular, the state of the second qubit after measuring 0 (resp. 1) for the first qubit is

$$\begin{aligned} \frac{\alpha _{00} |0\rangle + \alpha _{01} |1\rangle }{\sqrt{|\alpha _{00} |^2 + |\alpha _{01} |^2}} \quad ( resp. \ \frac{\alpha _{10} |0\rangle + \alpha _{11} |1\rangle }{\sqrt{|\alpha _{10} |^2 + |\alpha _{11} |^2}})\,, \end{aligned}$$

namely the normalised vector of \(\alpha _{00} |0\rangle + \alpha _{01} |1\rangle \) (resp. \(\alpha _{10} |0\rangle + \alpha _{11} |1\rangle \)).

To translate measurements in Isabelle we first need a predicate select_index such that select_index n i j outputs true if the jth element of the computational basis has a 1 at the ith spot of its label and false otherwise (Fig. 16).

Fig. 16

The select_index predicate (see Measurement.thy)

Then given the state of a n-qubit system, we can compute the probability⁴ of the outcome being 0 (resp. 1) when measuring the ith qubit (Fig. 17).

Fig. 17

Computing the probabilities of outcomes (see Measurement.thy)

If the outcome of measuring the ith qubit is 0 (resp. 1), then post_meas0 (resp. post_meas1) gives the new state of the system (Fig. 18).

Fig. 18

The new states of the system after outcome 0 and 1, respectively (see Measurement.thy)

Entanglement has some interesting consequences with respect to measurement. In quantum mechanics measurements of physical properties, such as momentum, position or spin, on entangled particles are perfectly correlated. In quantum computing this phenomenon can be illustrated through the Bell states. Given a Bell state, if one makes one measurement, then one gets either 0 with probability 1/2 or 1 with probability 1/2 whatever the qubit being measured (either the first or the second one). Moreover, in the case of two successive measurements of the first and second qubit, the outcomes are correlated. Indeed, in the case of \(|\beta _{00}\rangle \) or \(|\beta _{10}\rangle \) (resp. \(|\beta _{01}\rangle \) or \(|\beta _{11}\rangle \)) if one measures the second qubit after a measurement of the first qubit (or the other way around) then one gets the same outcomes (resp. opposite outcomes), i.e. the probability of measuring 0 for the second qubit after a measurement with outcome 0 for the first qubit is 1 (resp. 0).

5 Theorems and Quantum Algorithms

We present briefly the main theorems and algorithms formalized in the library. For a detailed presentation the reader is invited to consult a standard reference like [7].

5.1 The No-Cloning Theorem

A notable theorem in quantum computation and quantum information is the so-called no-cloning theorem articulated by Wootters and Zurek [8] and by Dieks [9]. It is one of the earliest results in the field. Roughly, the no-cloning theorem states it is impossible to make an exact copy of an unknown quantum state. Since classical information can be copied exactly, this no-go theorem⁵ is one of the main differences between classical and quantum information. More precisely, given two non-orthogonal quantum states \(|\phi \rangle \) and \(|\psi \rangle \), there does not exist a quantum device that, when input with \(|\phi \rangle \) (resp. \(|\psi \rangle \)), outputs \(|\phi \rangle \otimes |\phi \rangle \) (resp. \(|\psi \rangle \otimes |\psi \rangle \)). First, we use Isabelle’s locale mechanism to define a quantum machine. A quantum machine consists of a natural number n, a complex vector s, and a complex matrix U, plus the assumptions that s has dimension \(2^n\) and U is a \(2^{2n} \times 2^{2n}\) unitary matrix (Fig. 19).

Fig. 19

A quantum machine in Isabelle (see No_Cloning.thy)

Second, we need to introduce the inner product \(\langle v|w\rangle \) of two complex vectors v, w (Fig. 20).

Fig. 20

The inner product of two complex vectors (see Quantum.thy)

Recall that for every complex vector v one has \(\Vert v\Vert ^2 = \langle v|v\rangle \) (Fig. 21), and two complex vectors v, w being orthogonal means their inner product \(\langle v|w \rangle \) is 0.

Fig. 21

The squared length of a complex vector is equal to its inner product with itself (see Quantum.thy)

Thus, in Isabelle the no-cloning theorem is formalised as follows (Fig. 22).

Fig. 22

The no-cloning theorem (see No_Cloning.thy)

In other words, if someone has built a quantum machine which is able to copy two quantum states (i.e. two normalised complex vectors), then these two states are either identical or orthogonal. The proof relies on the Cauchy-Schwarz inequality:

$$\begin{aligned} |\langle v|w\rangle |^2 \le \langle v|v\rangle \langle w|w\rangle \end{aligned}$$

for every complex vectors v and w (Fig. 23).

Fig. 23

The Cauchy-Schwarz inequality (see No_Cloning.thy)

In the snippet above one needs to take the real part of \(\langle v|v\rangle \langle w|w\rangle \), since Isabelle is not able to notice immediately that \(\langle v|v\rangle \langle w|w\rangle \) is a real number and so the real part is required for type-checking.

5.2 Quantum Teleportation

The quantum teleportation protocol has already been formalised with the proof assistant Coq [3]. We follow closely this previous formalisation to give a counterpart in Isabelle.

First, we outline the protocol introduced in the seminal paper of Bennett et al. [10]. The quantum teleportation allows the transmission of an unknown quantum state between a sender and a receiver in the absence of a quantum channel using only an entangled pair and a classical channel. Let us assume that Alice in London wants to send Bob in Paris an unknown quantum state \(|\varphi \rangle \). By sharing an EPR pair, each taking one qubit of the EPR pair, this feat can be achieved. Indeed, Alice can take the tensor product of \(|\varphi \rangle \) with her half of the EPR pair to apply a cNOT gate (using \(|\varphi \rangle \) as the control qubit) and then apply an Hadamard gate on \(|\varphi \rangle \). Finally, she measures her two qubits, obtaining one of the four possible results: 00, 01, 10 or 11. She sends these two classical bits to Bob using the classical channel at her disposal. Depending on Alice’s two bits, Bob performs one of four predetermined operations on his half of the EPR pair. More precisely, if Alice’s two bits are 00 (resp. 01, 10, 11) then Bob applies the identity (resp. Pauli’s X gate, Pauli’s Z gate, Pauli’s X gate followed by Pauli’s Z gate). It can be shown that as a result Bob recovers \(|\varphi \rangle \)!

In the quantum circuit below the single lines denote qubits, the top two lines being Alice’s qubits while the last one is Bob’s qubit. The first gate represents a cNOT gate, H denotes an Hadamard gate, the meters represent measurements, the double lines are classical channels carrying the classical bits M1 and M2 obtained after the measurements. This circuit gives a concise description of the protocol outlined above (Fig. 24).

Fig. 24

Circuit implementing the quantum teleportation protocol

The formal specification of the protocol can be written in Isabelle as follows (Fig. 25).

Fig. 25

The quantum teleportation (see Quantum_Teleportation.thy)

The function alice_out \(\varphi \) q outputs the two classical bits sent by Alice after the measurements.

The decoding function bob q (alice_out \(\varphi \) q) corresponds to the state of a 3-qubit system whose first and the second qubits are Alice’s qubits after measurement and third qubit is Bob’s qubit after performing his predetermined operation given the two classical bits sent by Alice (Fig. 26).

Fig. 26

Bob’s decoding function

Then the formal specification 25 asserts that the final state of Bob’s qubit is nothing but \(|\varphi \rangle \), namely the state given as argument and representing the unknown state Alice started with. The quantum state \(|\varphi \rangle \) has been “teleported” from the first to the third position, i.e. from Alice to Bob. The existential quantification in the statement asserting that whatever Alice’s two classical bits sent to Bob the state of the combined system always “factors” through \(|\varphi \rangle \).

5.3 The Deutsch–Jozsa Algorithm

Deutsch in [11] was the first to demonstrate that a quantum computer could perform a task faster than any classical computer. His algorithm was improved later by numerous researchers. We explain below the purpose of Deutsch’s algorithm.

A function taking values in \(\lbrace 0,1\rbrace \) is balanced if it outputs 0 for half of its inputs and 1 for the other half. We start with a function \(f:\lbrace 0,1\rbrace \rightarrow \lbrace 0,1\rbrace \).

Classically one needs two evaluations of f to determine if the function f is constant or balanced. Deutsch’s quantum algorithm determines if f is constant or balanced using only one evaluation of f. This feat is made possible by quantum parallelism, i.e. the ability to evaluate a function f(x) for many values of x simultaneously. The quantum circuit implementing Deutsch’s algorithm is drawn above (Fig. 27).

Fig. 27

Circuit implementing Deutsch’s algorithm

Two qubits are prepared, one in the state \(|0\rangle \) and another one in the state \(|1\rangle \) . A Hadamard gate is then applied to each of them followed by the unitary \(U_f\). Afterward the second qubit remains unchanged while the first one is subject to another application of the Hadamard transform. Finally, the first qubit is measured.

In Isabelle the set-up is provided by the following locale.

Then we translate the algorithm in Isabelle, the last gate operation being translated by \(H \otimes Id\,1\) since it leaves the second qubit untouched. Note that if time flows from left to right in the circuit, the code should be read from right to left, since the first matrix applied in a matrix multiplication is the one on the right (Fig. 28).

Fig. 28

Deutsch’s algorithm (see Deutsch.thy)

Finally, we check the correctness of the algorithm (Fig. 29).

Fig. 29

Deutsch’s algorithm (see Deutsch.thy)

where deutsch_algo_eval is equal to \(f(0) \oplus f(1)\), namely \(f(0) + f(1)\) modulo 2.

Deutsch’s algorithm has a generalisation, the so-called Deutsch–Jozsa algorithm, where the domain of f has \(2^n\) values.

Let us assume that we have a function \(f:\lbrace 0,\dots , 2^n-1\rbrace \rightarrow \lbrace 0,1\rbrace \) which is either constant or balanced. In the following circuit for the Deutsch–Jozsa algorithm the wire annotated with \(/^n\) represents a set of n qubits (Fig. 30). For n = 1 one recovers the particular case of Deutsch’s algorithm.

Fig. 30

Circuit implementing the Deutsch–Jozsa algorithm

The set-up in Isabelle is given by two locales where Bob promises Alice that he will use a function which is either constant or balanced.

Classically in the worst-case scenario Alice needs \(\frac{2^n}{2} + 1\) queries to determine if Bob’s function f is constant or balanced. Indeed, Alice can get \(\frac{2^n}{2}\) 0s before getting a 1. However, using the Deutsch–Jozsa algorithm Alice can decide if f is constant or balanced using only one evaluation of f.

The translation in Isabelle is similar to the one of Deutsch’s algorithm except that the evaluation of the algorithm now requires the measurement of the first n qubits (Fig. 31).

Fig. 31

The Deutsch–Jozsa algorithm (see Deutsch_Jozsa.thy)

Then one can certify the correctness of the Deutsch–Jozsa algorithm which outputs 1 (resp. 0) if and only if f is constant (resp. balanced) (Fig. 32).

Fig. 32

The Deutsch–Jozsa algorithm (see Deutsch_Jozsa.thy)

5.4 The Quantum Prisoner’s Dilemma

We will assume that the reader is familiar with the Prisoner’s Dilemma and the basic concepts of non-cooperative game theory [12]. The quantum version of the Prisoner’s Dilemma was introduced by Eisert, Wilkens and Lewenstein in their classic article [13].

The strategic space of the quantum game is given by the set of unitary \(2\times 2\) matrices of the form

$$\begin{aligned} {\hat{U}}(\theta ,\varphi )= \begin{pmatrix} e^{i\varphi }\cos (\theta /2) &{} \sin (\theta /2) \\ -\sin (\theta /2) &{} e^{-i\varphi }\cos (\theta /2) \end{pmatrix} \end{aligned}$$

with \(0 \le \theta \le \pi \) and \(0 \le \varphi \le \pi /2\). As noted in [14] the strategic space used by Eisert et al. consisting of these 2-parameter unitary matrices is only a subset of SU(2) and as a consequence is unlikely to reflect any reasonable physical constraint. However, this subset already exhibits interesting properties arising in the quantum regime and as a consequence is worth studying.

The quantization scheme is parametrized by a real \(\gamma \in [0,\pi /2]\) which is a measure of the game’s entanglement. For \(\gamma = 0\) one recovers the classical game while \(\gamma = \pi /2\) corresponds to a maximally entangled game (Fig. 33).

Fig. 33

Our two players, Alice and Bob, and their parameters defining their strategies

Then one defines a unitary operator \({\hat{J}}\) as \({\hat{J}}{:=} exp\lbrace i\,\gamma \;{\hat{D}}\otimes {\hat{D}}/2\rbrace \), where \({\hat{D}}:= {\hat{U}}(\pi ,0)\) is the strategy to defect while \({\hat{C}}{:=} {\hat{U}}(0,0)\) is the strategy to cooperate.

If \({\hat{U}}_A{:=} {\hat{U}}(\theta _A, \varphi _A)\) (resp. \({\hat{U}}_B{:=} {\hat{U}}(\theta _B, \varphi _B)\)) denotes Alice’s (resp. Bob’s) strategy, then the final state of the game is given by (Fig. 34).

$$\begin{aligned} |\psi _f\rangle {:=} {\hat{J}}^{\dagger } \, ({\hat{U}}_A \otimes {\hat{U}}_B) \, {\hat{J}} \, |00\rangle \,. \end{aligned}$$

Fig. 34

The final state of the game

Finally, Alice’s expected payoff is calculated according to the following formula

$$\begin{aligned} \$_A {:=} 3 P_{00} + P_{11} + 5 P_{10}\,, \end{aligned}$$

while Bob’s expected payoff is obtained by

$$\begin{aligned} \$_B {:=} 3 P_{00} + P_{11} + 5P_{01}\,, \end{aligned}$$

where \(P_{xy} {:=} |\langle xy|\psi _f\rangle |^2\) (Fig. 35).

Fig. 35

Alice’s and Bob’s expected payoffs

To formalise in Isabelle the main results of [13], we need to introduce formal definitions for Nash equilibriums and Pareto optimality in the context of our game and its restricted strategic space (Fig. 36).

Fig. 36

The formal definitions of Nash equilibrium and Pareto optimality, respectively

In the classical game (\(\gamma = 0\), also called the separable case) it is well known that both players defecting (i.e. playing the strategy \({\hat{D}}\), namely \(\varphi _A = \varphi _B = 0\) and \(\theta _A = \theta _B = \pi \)) is a Nash equilibrium.

First, the authors prove that in the maximally entangled quantum game (\(\gamma = \pi /2\)) both players defecting is no longer a Nash equilibrium.

Second, the authors introduce a new quantum strategy when \(\gamma = \pi /2\), coined the quantum move and denoted \(Q {:=} {\hat{U}}(0, \pi /2)\), with a high payoff (namely 3) for both players resolving the prisoner’s dilemma. They prove that both players playing Q is a Nash equilibrium which is also Pareto optimal (Fig. 37).

Fig. 37

In the quantum regime a new Nash equilibrium appears which is Pareto optimal

Finally, in the last part of their article Eisert et al. study an unfair version of the Prisoner’s Dilemma where one player is restricted to classical strategies while the second player is not subject to such a restriction, i.e. Alice can play any strategy, either classical or quantum, while Bob can only play classical strategies. However, in the next section we point out a flaw in their treatment of the unfair version of the game. Indeed, we will see it is not true that the so-called miracle move as defined in [13] always gives quantum Alice a large reward against classical Bob and outperforms the so-called tit-for-tat strategy in an iterated game.

6 The Unfair Version of the Quantum Prisoner’s Dilemma

Below we show the section in [13] on the quantum-classical version of the Prisoner’s Dilemma, where Alice may use a quantum strategy while Bob is restricted to a classical strategy, is flawed.

In particular, the claim that the so-called miracle move, defined as \({\hat{M}}{:=} {\hat{U}}(\pi /2,\pi /2)\), gives Alice

at least reward \(r = 3\) as pay-off, since \(\$_A({\hat{M}},{\hat{U}}(\theta ,0)) \ge 3\) for any \(\theta \in [0,\pi ]\), leaving Bob with \(\$_B({\hat{M}},{\hat{U}}(\theta ,0)) \le \frac{1}{2}\) [13, p.3079]

is false. Indeed, for a maximally entangled game \(\gamma = \frac{\pi }{2}\), for \(\theta = \frac{\pi }{2}\) one has

In the situation where Alice plays the miracle move while Bob is restricted only to classical strategies, for \(0 \le \gamma \le \frac{\pi }{2}\) we have

$$\begin{aligned} \$_A({\hat{M}},{\hat{U}}(\theta ,0))&= \frac{1}{8}\, (21 + \cos (\gamma )^{2} (-3 + 14 \cos \theta ) + 3 \sin (\gamma )^{2}-16 \sin \gamma \sin \theta ) \end{aligned}$$

(1)

$$\begin{aligned} \$_B({\hat{M}},{\hat{U}}(\theta ,0))&= \frac{1}{8}\, (11 + \cos (\gamma )^{2} (7-6 \cos \theta )-7 \sin (\gamma )^{2} + 4 \sin \gamma \sin \theta )\;. \end{aligned}$$

(2)

So, pluging \(\gamma = \frac{\pi }{2}\) in equations (1) and (2) gives

$$\begin{aligned} \$_A({\hat{M}},{\hat{U}}(\theta ,0)) - \$_B({\hat{M}},{\hat{U}}(\theta ,0)) = \frac{5}{2}(1 -\sin \theta ) \end{aligned}$$

admitting a minimum of 0 when \(\theta =\frac{\pi }{2}\).

In other words, the dilemma is not removed in favor of the quantum player contrary to the claim in [15, III.C] which reproduced the error in [13] supported by erroneous computations (the authors found \(\$_A = 3 + 2\sin \theta \) and \(\$_B = \frac{1}{2}(1 - \sin \theta )\) instead of \(\$_A = 3 - 2\sin \theta \) and \(\$_B = \frac{1}{2}(1 + \sin \theta )\)).

Indeed, Bob can immunize himself against Alice’s miracle move by playing the down-to-earth move \({\hat{E}}\)

$$\begin{aligned} {\hat{E}}\equiv {\hat{U}}(\frac{\pi }{2},0) = \frac{1}{\sqrt{2}} \begin{pmatrix} 1 &{} 1 \\ -1 &{} 1 \end{pmatrix}\;, \end{aligned}$$

the outcome being a draw \(\$_A = \$_B = 1\).

Assuming \(\gamma =\frac{\pi }{2}\), \(\phi _B = 0\), we get the following pay-off matrix.

Alice	Bob
	\({\hat{C}}\)	\({\hat{D}}\)	\({\hat{E}}\)
\({\hat{C}}\)	(3, 3)	(0, 5)	\((\frac{3}{2},4)\)
\({\hat{D}}\)	(5, 0)	(1, 1)	\((3,\frac{1}{2})\)
\({\hat{Q}}\)	(1, 1)	(5, 0)	\((3,\frac{1}{2})\)
\({\hat{M}}\)	\((3,\frac{1}{2})\)	\((3,\frac{1}{2})\)	(1, 1)

So, if Alice plays \({\hat{M}}\), the dominant strategy of Bob becomes \({\hat{E}}\), thereby doing substantially worse than if they would both cooperate, reproducing the dilemma. Moreover, nothing supports the claim that Alice

may choose “Always-\({\hat{M}}\)” as her preferred strategy in an iterated game. This certainly outperforms tit-for-tat [...] [13, p.3079].

In conclusion, the “miracle move” as defined in [13] is of no advantage.

7 Conclusions and Future Work

Our work demonstrates that an extensive formalisation of quantum algorithms and quantum information theory in Isabelle/HOL is possible and not a fruitless exercise. Indeed, the Letter [13] of Eisert et al. is a pioneering and highly cited article published in Physical Review Letters, a high-profile physics journal. The error uncovered therein is a notable unexpected outcome of our library. Indeed, this error had gone unnoticed in the field until our work and we found at least one subsequent published paper that reproduced it. After a private communication Eisert et al. acknowledged their error and they actually found a fix to re-establish their conclusions regarding what they call the “miracle move”. An erratum was published by Physical Review Letters [16].

Possible future applications of our library could include the verification of quantum cryptographic protocols, Isabelle having been successfully used in the past by Lawrence Paulson for the verification of cryptographic protocols using inductive definitions [17]. A related work is the formalisation in Isabelle of parts of the Quantum Key Distribution algorithm by Florian Kammüller using a framework extending attack trees to probabilistic reasoning on attacks [18].

Last, there is ongoing work in our library to formalise the quantum Fourier transform and unlock the potential formalisation of a wide range of more advanced quantum algorithms relying on it.