Verifiable Delegated Quantum Computation
- Verifiable Delegated Quantum Computation is defined as a protocol where a resource-constrained client delegates quantum tasks to untrusted servers while ensuring correctness through completeness and soundness guarantees.
- Multiple approaches, including measurement-based methods, post-hoc local Hamiltonian verification, and rigidity-based multiprover schemes, provide varied trade-offs in security, blindness, and client capability.
- Recent advances address composability, noise robustness, and device-independence, steering VDQC towards practical, scalable implementations for near-term quantum devices.
Verifiable delegated quantum computation (VDQC) studies protocols in which a computationally limited client outsources a quantum computation to a more powerful but untrusted server while retaining guarantees of correctness and, frequently, blindness. Across the literature, the client ranges from a purely classical verifier to a measurement-only or state-preparing device; the server ranges from a single prover to multiple entangled provers; and the security model ranges from stand-alone fidelity bounds to composable ideal-resource formulations. The subject now encompasses measurement-based protocols, post-hoc local-Hamiltonian verification, rigidity-based multiprover schemes, relativistic variants, and near-term extensions for noisy devices, variational algorithms, and observable estimation (Grilo, 2017, Kashefi et al., 2024, Yang et al., 9 Oct 2025).
1. Security notions and formal problem statements
In its standard form, VDQC asks for a protocol in which a client delegates a unitary on an input state or a circuit to an untrusted server and obtains the correct output without building a full-scale quantum computer. The two basic requirements are completeness and soundness. In the interactive-proof language used for multiprover protocols, completeness means that honest provers make the verifier accept with high probability and recover the correct answer, whereas soundness means that malicious provers cannot make the verifier accept an incorrect outcome except with small probability (Grilo, 2017). Typical statements take the form
Single-server formulations often phrase verifiability as correctness-or-abort. In a stand-alone formulation, the honest-server output should satisfy , while for any malicious server the dishonest output must remain close to a mixture of the correct output and an abort flag $\ketbra{\bot}$ (Wiesner et al., 10 Mar 2026). In composable formulations this becomes a trace-distance requirement,
$\frac12\|\rho_H-U(\psi)\|_1 \le \varepsilon_H, \qquad \min_{p\in[0,1]} \frac12 \left\|\rho_D-\bigl(pU(\psi)+(1-p)\ketbra{\bot}\bigr)\right\|_1 \le \varepsilon_D,$
which is the natural notion when the protocol is used as a subroutine inside a larger cryptographic construction (Wiesner et al., 10 Mar 2026). Blindness is optional but often desired; several protocols explicitly note that verifiability does not by itself imply blindness, and that one-round or classical-verifier constructions may sacrifice privacy even when they retain correctness guarantees (Grilo, 2017).
2. Computational models and verification reductions
A large part of VDQC is formulated in measurement-based quantum computation (MBQC). In this model, the server prepares an entangled graph state and the computation is driven by single-qubit measurements whose bases depend on previous outcomes. This framework underlies blind and verifiable delegated quantum computation with a weak client, including measurement-only protocols in which the client only performs single-qubit measurements, and state-preparation protocols in which the client only prepares single-qubit states (Morimae, 2016). A recurring structural tool is the flow or gflow of the graph, which organizes the adaptive measurement dependencies and makes MBQC compatible with delegation.
A second major paradigm is post-hoc verification via the Local Hamiltonian problem. Instead of interacting directly with a circuit , the verifier reduces 0 to an 1-local Hamiltonian 2 through the standard circuit-to-Hamiltonian construction, so that low circuit acceptance probability becomes high ground energy and high circuit acceptance probability becomes low ground energy (Grilo, 2017). Verification then reduces to a non-local game for the local Hamiltonian problem. In the one-round two-prover construction, the verifier combines a Pauli Braiding Test with an Energy Test, and after gap amplification obtains a constant-gap game 3 such that YES instances satisfy acceptance probability at least 4 and NO instances at most 5 (Grilo, 2017). This post-hoc route is especially important for classical-verifier protocols because it connects delegated computation to QMA-complete structure.
Restricted computational models have also been incorporated into VDQC. For the one pure qubit model, the paper "Verified Delegated Quantum Computing with One Pure Qubit" defines a purity parameter
6
for 7-qubit states and introduces DQC1-MBQC, an MBQC analogue of DQC1 in which the purity budget remains constant up to an additive constant throughout the pattern (Kapourniotis et al., 2014). It shows 8 and gives a blind, verifiable protocol whose soundness scales as 9 for computation size 0 and repetition parameter 1 (Kapourniotis et al., 2014). This places verification inside a strictly restricted quantum model rather than assuming a universal server from the outset.
3. Single-server constructions and restricted-client regimes
Single-server MBQC remains the dominant paradigm for blind and verifiable delegation with minimal verifier quantum power. In measurement-only verifiable blind quantum computing with quantum input verification, the client initially holds an unknown 2-qubit state 3, embeds it into
4
applies a random permutation and Pauli one-time pad, and delegates an MBQC computation to the server (Morimae, 2016). Verification combines a stabilizer test for the graph state with an input-state test that projects onto
5
If both tests pass with high probability, the joint graph-plus-input state is close in trace distance to the honest target, with
6
which yields an inverse-polynomial completeness–soundness gap (Morimae, 2016). The significance is that even a measurement-only client can verify not only the delegated computation but also the correctness of a quantum input lacking an efficient classical description.
The trusted assumptions on the client have also been weakened in a different direction. "Verification of Quantum Computations without Trusted Preparations or Measurements" shows that information-theoretically secure delegation can be reduced to trusted gate application rather than trusted state preparation or trusted measurement (Kashefi et al., 2024). Its first construction reduces BQP verification to trusted single-qubit 7-rotations and bit flips 8; its second construction yields verification of arbitrary quantum computations with quantum output using arbitrary single-qubit unitaries and multi-qubit Clifford gates on a verifier register whose size is independent of the delegated computation (Kashefi et al., 2024). This alters the usual client-capability taxonomy: instead of choosing between trusted preparations and trusted measurements, one can replace both by a small trusted gate set.
The VUBQC line was also extended beyond pure delegation. "Garbled Quantum Computation" uses the asymmetric structure of UBQC and VUBQC to build a Yao-type protocol for secure two-party quantum computation and a universal one-time compiler using one-time memory, while keeping the garbler’s quantum role at the level of single-qubit preparation (Kashefi et al., 2016). A plausible implication is that trap-based delegation is not only a verification primitive but also a reusable cryptographic substrate.
4. Multi-prover, one-round, relativistic, and device-independent protocols
Classical-verifier protocols with multiple entangled provers exploit rigidity and non-local games to remove almost all trusted quantum capability from the verifier. "Verifier-on-a-Leash" presents two such schemes for a classical verifier interacting with two non-communicating but entangled quantum provers, with total operations and honest-prover EPR-pair complexity 9 for a circuit of size 0 (Coladangelo et al., 2017). The first protocol is blind and uses a number of rounds linear in circuit depth; the second is not blind but uses only a constant number of rounds (Coladangelo et al., 2017). These protocols derive their efficiency from a rigidity theorem certifying arbitrary 1-qubit tensor products of single-qubit Clifford observables with robustness independent of 2, which sharply improves on earlier polynomial-overhead multiprover schemes.
The one-round endpoint of this line is captured by "A simple protocol for verifiable delegation of quantum computation in one round" (Grilo, 2017). There the verifier is purely classical, the provers are two unbounded quantum computers 3 and 4, and interaction consists of one classical message to each prover and one classical answer from each. The protocol reduces delegation to a one-round game for the 5-local Hamiltonian problem, then proves a universal constant 6 such that YES instances of the Hamiltonian problem have acceptance probability at least 7 and NO instances at most 8, with message length 9 bits (Grilo, 2017). Because the game can be embedded in spacetime so that no signal can travel between the provers during the critical interval, the same construction becomes the first relativistic protocol for quantum computation under the no-superluminal-signaling assumption (Grilo, 2017). The protocol is explicitly not blind, and the existence of a blind, one-round, two-server scheme is left open.
Fully device-independent verification pushes the trust assumptions still lower. "Parallel remote state preparation for fully device-independent verifiable blind quantum computation" gives a two-prover scheme in which a classical verifier uses a simple untrusted quantum measurement device together with an untrusted quantum server to remotely prepare the FK input state in a device-independent way, based on a parallel self-test of cardinal and intercardinal measurements in the 0 plane and of the computational basis (Adamson, 2022). The question complexity is especially favorable for this setting: logarithmic in 1 for the client device and constant to the server (Adamson, 2022). By contrast, "Self-guaranteed measurement-based quantum computation" certifies both the resource state and the measurement basis without any prior trusted devices, but with an overhead scaling as 2 resource-state copies for an 3-qubit graph state (Hayashi et al., 2016). These developments show that device-independence is achievable, but presently at a higher structural and sampling cost than weak-client MBQC.
5. Composability, noise robustness, and near-term extensions
Composable security has become central as VDQC moves from complexity-theoretic existence proofs toward reusable cryptographic components. In the Abstract Cryptography framework, secure delegated quantum computation is expressed as construction of an ideal resource from real communication resources, with errors adding under composition (Kashefi et al., 2024). This formalism underlies not only MBQC delegation but also realistic optical implementations. "Composably Secure Delegated Quantum Computation with Weak Coherent Pulses" replaces trusted single-photon sources by weak coherent pulses, constructs a BatchRSP resource from a WCPGenerator, and composes it with earlier SDQC protocols to obtain information-theoretic composable security and negligible error (Garnier et al., 11 Mar 2025). In its simplest two-intensity instantiation, the number of pulses needed per secure input qubit scales as 4 as 5 (Garnier et al., 11 Mar 2025).
Noise robustness is a separate but equally important axis. "Securing Quantum Computations in the NISQ Era" gives a blind and verifiable scheme for deterministic quantum computations with classical inputs and outputs in which the only overhead is a polynomial number of repetitions of the original computation interleaved with test runs using the same physical resources (Kashefi et al., 2020). Under sufficiently small noise, the protocol succeeds with probability exponentially close to 1, and the probability of failing a test run can be as high as 6 for some computations and is generally bounded by 7 when using a planar graph resource state (Kashefi et al., 2020). "Verifying BQP Computations on Noisy Devices with Minimal Overhead" sharpens this perspective by giving a blind and verifiable protocol for delegating BQP computations with repetition as the only overhead, composable and statistically secure with exponentially-low bounds, and able to tolerate a constant amount of global noise (Leichtle et al., 2021). The common idea is to move security amplification out of fault-tolerant graph encodings and into repeated test and computation rounds.
Recent work has specialized VDQC to the dominant near-term workloads. "Verifiable End-to-End Delegated Variational Quantum Algorithms" treats parameter-shift gradient estimation inside variational quantum algorithms, proving that the probability of accepting a gradient whose relative error exceeds a target 8 decreases exponentially in the total number of rounds 9 for each optimization step (Inajetovic et al., 21 Apr 2025). At the algorithmic level, under 0-strong convexity and 1-Lipschitz gradient assumptions, the protocol supplies end-to-end verifiability of gradient descent provided the learning rate and relative gradient error satisfy explicit inequalities (Inajetovic et al., 21 Apr 2025). "Verifiable blind observable estimation" extends the VBQC/RVBQC line from decision problems to expectation-value estimation, defining a Secure Delegated Observable Estimation resource that guarantees the estimate is within some 2 of the true expectation value or else aborts, with negligible security error in the total number of rounds (Yang et al., 9 Oct 2025). These papers indicate that the field is moving from generic decision-problem verification toward application-specific cryptographic primitives.
6. Limitations, impossibility results, and open questions
A central negative result is that cut-and-choose, by itself, is not sufficient for efficient and strongly secure verification. "Verified delegated quantum computation requires techniques beyond cut-and-choose" studies protocols whose only verification mechanism is a random separation into test and computation rounds and proves lower bounds linking the expected number of test rounds 3 to correctness and soundness errors (Wiesner et al., 10 Mar 2026). In the simple stand-alone setting,
4
while in the composable simple case,
5
and in the generalized comb-based model the composable bound becomes 6 (Wiesner et al., 10 Mar 2026). The conclusion is explicit: protocols relying solely on cut-and-choose techniques cannot be secure and efficient at the same time (Wiesner et al., 10 Mar 2026). This situates quantum error correction, authentication, multiprover rigidity, and strong cryptographic assumptions as structural necessities rather than artifacts of current constructions.
Several open questions recur across the literature. One-round classical verification with two servers is known, but the same construction is not blind, and a blind, one-round, two-server scheme remains open (Grilo, 2017). Information-theoretic single-server verification with a purely classical client remains out of reach; existing constructions typically require either two entangled provers, a weak quantum client, or computational assumptions. Even protocols that remove trusted preparations and measurements still rely on trusted gates and retain open questions such as the role of dimension assumptions and whether weaker remote-state-preparation resources suffice for full verification (Kashefi et al., 2024). Fully device-independent and relativistic schemes replace trust in devices by trust in causal or non-communication assumptions, which changes rather than eliminates the foundational assumptions (Adamson, 2022, Grilo, 2017).
The present state of VDQC therefore combines strong existence theorems with a sharp map of trade-offs. Two-prover rigidity yields classical verifiers and even one-round or relativistic security; MBQC trap schemes yield blindness with minimal verifier hardware; trusted-gate reductions weaken long-standing client assumptions; and near-term variants address noisy devices, variational optimization, and observable estimation. At the same time, impossibility results show that efficient verification cannot be obtained from repetition-based testing alone, and the remaining frontier is defined by how blindness, composability, device-independence, fault tolerance, and practical overhead can be satisfied simultaneously (Wiesner et al., 10 Mar 2026).