Proofs of Quantum Memory (PoQM)

• PoQM is an interactive protocol that certifies, via classical challenges, that a remote device retains a specified quantum memory over a given time period.
• It leverages cryptographic constructs—such as LWE-based puzzles and remote state preparation—to ensure rigorous soundness and memory persistence.
• PoQM generalizes proofs of quantumness and underpins secure quantum communication and computation by validating the integrity of large-scale quantum memory.

The concept of Proofs of Quantum Memory (PoQM) formalizes interactive protocols that enable a classical verifier to ascertain that a remote device (potentially accessible only via a classical channel) actually possesses quantum memory of a prescribed size (number of qubits) and maintains it over a specified time period. The framework generalizes prior constructs such as proofs of quantumness (PoQ) by certifying not only the quantum behavior of a device, but also its ability to allocate and sustain substantial quantum memory resources—an essential property for the validation of next-generation quantum computing, communication, and cryptographic architectures.

1. Formal Definition and Properties of PoQM

A PoQM protocol, as defined in (Hhan et al., 5 Oct 2025), is a two-phase interactive protocol between a classical probabilistic polynomial-time (PPT) verifier and a quantum polynomial-time (QPT) prover. The parameters are $(\alpha, \beta, m_1, m_2)$, where $m_1$ and $m_2$ denote qubit storages.

• Initialization Phase: The verifier $V_1$, on input $1^n$, outputs a classical string $v$. The prover $P_1$ outputs a classical string $state$ and an $m_1$-qubit state $Ostate$. Thus,

$$(v, (state, Ostate)) \leftarrow (V_1(1^n), P_1(1^n)) \qquad [\text{Eq. 15}]$$

• Execution Phase: The verifier $V_2$ takes $v$, the prover $P_2$ takes $(state, Ostate)$, and after classical interaction $V_2$ outputs $T$ (accept) or $L$ (reject):

$$T/L \leftarrow (V_2(v), P_2(state, Ostate)) \qquad [\text{Eq. 16}]$$

The protocol must satisfy:

• $\alpha$-completeness. For $n$ sufficiently large, an honest prover is accepted with probability at least $\alpha$:

$$\Pr[T \leftarrow (V_2(v), P_2(state, Ostate)) : (v, (state, Ostate)) \leftarrow (V_1(1^n), P_1(1^n))] > \alpha \qquad [\text{Eq. 17}]$$

• $(\beta, m_2)$-soundness. For any QPT adversary that uses at most $m_2$ qubits (i.e., after the first phase, the adversary's state is a classical string $s$ and an $m_2$-qubit state $p$), the maximum acceptance probability in the execution phase is at most $\beta$:

$$\Pr[T \leftarrow (V_2(v), P_2(s, p)) : (v, (s, p)) \leftarrow (V_1(1^n), P^*(1^n))] < \beta \qquad [\text{Eq. 18}]$$

This definition encapsulates the requirement that "quantum memory" (specifically $m_1$ qubits) must persist during the protocol's critical time window—a property not certified by conventional PoQ, which focuses only on non-classical behavior without quantifying memory.

2. Explicit Constructions Based on LWE Hardness

Two main PoQM protocols are constructed relying on the Learning With Errors (LWE) assumption, parameterized for desired completeness and soundness:

• Four-Round (Negligible Soundness, Subexponential LWE) Construction:
  • The protocol employs a cryptographic primitive called a "1-of-2$^k$" puzzle with $c$-soundness (four algorithms: KeyGen, Obligate, Solve, Ver).
  • In the initialization phase, the verifier runs KeyGen (generating a public/secret key), sends the public key to the prover, and receives a commitment for the quantum state (Obligate).
  • In the execution phase, the verifier issues a $k$-bit challenge, and the prover responds using Solve; the verifier checks the response using Ver.
  • Soundness error is negligible in $n$ (assuming subexponential LWE).
  • Amplification: Using the LOCC leakage property, a $(\alpha, B, m_1, 0)$-PoQM can be amplified to $(\alpha, 2^{-m_2}\cdot B, m_1, m_2)$-PoQM by tolerating $m_2$ bits/qubits leaked to the adversary.
• Polynomial-Round (Inverse-Polynomial Soundness, Poly LWE) Construction:
  • This version utilizes repeated, verifiable Remote State Preparation (RSP) protocols, which allow a classical verifier to direct the quantum prover to prepare known BB84 states.
  • The protocol operates for $m_2(n) = \omega(\log n)$, with soundness error $1/\mathrm{poly}(n)$, under standard polynomial LWE hardness.
  • More rounds are required, but the protocol relaxes the assumption on LWE hardness.

These constructions ensure that, under standard cryptographic assumptions, only an adversary with access to quantum memory above a specified threshold during the prescribed interval can succeed in cheating with non-negligible probability.

3. Implications for Cryptography and Quantum Protocols

PoQM yield several significant cryptographic implications:

• One-Way Puzzles: PoQM imply one-way puzzles (OWPuzzs), which serve as a quantum analogue of one-way functions and are foundational for many cryptographic applications.
• QCCC Key Exchange: A restricted, "extractable" version of PoQM—where the execution phase is single round and an extractor can recover the prover's response—implies secure quantum computation classical communication (QCCC) key exchange, where both parties are QPT and all communication is classical.
• Soundness Amplification Techniques: The security proofs adapt known transformation lemmas (e.g., from Boneh–Zhandry; see Lemma 2.1) and use the LOCC leakage property for BB84 states to maintain tight soundness even in the face of partial cheating or quantum information leakage.

The theoretical link to one-way puzzles highlights a general lower bound on the computational power required for PoQM and strengthens their cryptographic relevance.

4. Comparison to Conventional Proofs of Quantumness

PoQM generalize proofs of quantumness (PoQ):

• Generalization: Setting $m_2 = 0$ in the formal PoQM definition recovers the condition for PoQ, i.e., only non-classicality is required—no demand for persistent quantum storage.
• Certification of Memory: PoQM specifically addresses the problem of authenticating that a device not only acts non-classically during interaction, but actually stores a large quantum state continuously.
• Implication: Existence of $(\alpha, \beta, m_1, 0)$-PoQM automatically ensures existence of an $(\alpha, \beta)$-PoQ.

This distinction is vital for situations where large-scale quantum memories are integrated into critical systems and must be reliably certified by external (classical) parties.

5. Technical and Practical Considerations

Several challenges and subtleties are addressed:

• Classical-Verifier Requirement: All communication is over a classical channel, yet the protocol can certify quantum memory. This is achieved via cryptographic reductions and quantum state commitments that survive classical challenge–response rounds.
• Memory Loss and State Leakage: Protocols are robust to the prover discarding or measuring some of its quantum state between rounds; amplification strategies maintain soundness as supported by the LOCC property and information-theoretic bounds.
• Temporal Certification: The two-phase structure (initialization and execution) directly tests for retaining $m_1$ qubits of coherence over the interval between these phases, accommodating real-world scenarios where adversaries may attempt mid-protocol measurement or state replacement.
• Assumptions: The four-round protocol's negligible soundness requires subexponential LWE hardness; polynomial-round construction relaxes this to polynomial LWE hardness at the cost of more rounds and higher soundness error.

6. Limitations and Extensions

• Extent of Certification: The protocols certify the presence of some quantum memory, but subtle issues (e.g., exact scaling to very large $m_1$, or prover side-channels outside the protocol) may remain. The "extractability" property needed for QCCC key exchange is strictly stronger and currently is established under more restrictive assumptions.
• Classical Lower Bound: As a lower bound, PoQM imply the existence of computationally hard problems (one-way puzzles), so PoQM are not possible in trivial computational models.
• Device Realism: Implementation complexity (for classical verifiers) is kept polynomial, but practical efficiency and deployment for massive-scale quantum memories may face engineering obstacles beyond the protocol layer.

7. Summary Table of Key PoQM Protocol Dimensions

Protocol	Rounds	Soundness Error	Hardness Assumption	Memory Gap Certified
Four-Round	4	Negligible (negl($n$))	Subexp LWE	$m_1 \gg m_2$
Polynomial-Round	Polynomial	$1/\mathrm{poly}(n)$	Poly LWE	$m_1 \gg m_2$

These advances directly enable scalable and robust verification of quantum memory, generalizing classical proof systems and providing architectural guarantees for the next era of quantum infrastructure.