Symbolic model checking quantum circuits in Maude
 Published
 Accepted
 Received
 Academic Editor
 Marieke Huisman
 Subject Areas
 Emerging Technologies, Theory and Formal Methods, Programming Languages, Software Engineering, Quantum Computing
 Keywords
 Quantum circuits, Dirac notation, Symbolic model checking, Maude
 Copyright
 © 2024 Minh Do and Ogata
 Licence
 This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, reproduction and adaptation in any medium and for any purpose provided that it is properly attributed. For attribution, the original author(s), title, publication source (PeerJ Computer Science) and either DOI or URL of the article must be cited.
 Cite this article
 2024. Symbolic model checking quantum circuits in Maude. PeerJ Computer Science 10:e2098 https://doi.org/10.7717/peerjcs.2098
Abstract
This article presents a symbolic approach to model checking quantum circuits using a set of laws from quantum mechanics and basic matrix operations with Dirac notation. We use Maude, a highlevel specification/programming language based on rewriting logic, to implement our symbolic approach. As case studies, we use the approach to formally specify several quantum communication protocols in the early work of quantum communication and formally verify their correctness: Superdense Coding, Quantum Teleportation, Quantum Secret Sharing, Entanglement Swapping, Quantum Gate Teleportation, Two Mirrorimage Teleportation, and Quantum Network Coding. We demonstrate that our approach/implementation can be a first step toward a general framework to formally specify and verify quantum circuits in Maude. The proposed way to formally specify a quantum circuit makes it possible to describe the quantum circuit in Maude such that the formal specification can be regarded as a series of quantum gate/measurement applications. Once a quantum circuit has been formally specified in the proposed way together with an initial state and a desired property expressed in linear temporal logic (LTL), the proposed model checking technique utilizes a builtin Maude LTL model checker to automatically conduct formal verification that the quantum circuit enjoys the property starting from the initial state.
Introduction
Quantum computing is a rapidly emerging technology that uses the laws of quantum mechanics to solve complex problems that are very hard for classical computers, such as discrete logarithms and factoring. Several quantum algorithms have been proposed showing a significant improvement over classical algorithms, such as the fast algorithms for discrete logarithms and factoring proposed by Shor (1994). It is well known that cryptosystems relying on the hardness of discrete logarithms and factoring will be broken by largescale quantum computers running Shor’s fast algorithm in the future. Then, quantum communication involving quantum cryptography has attracted much attention from both industry and academia because it provides an efficient and highly secure communication channel relying on quantum mechanics phenomena, such as superposition, entanglement, and probabilistic measurement.
Quantum circuits are a model of quantum computation, comprising a sequence of quantum gates, measurements, initializations of qubits, and possibly other actions. Quantum gates operate on quantum bits (qubits), the quantum counterpart of classical bits, and manipulate the state of a quantum system to perform quantum computations. The outputs of quantum circuits are quantum states, which can be measured to obtain classical outcomes with probabilities from which other actions can take place. Quantum circuits play a crucial role in the development of quantum algorithms because they are used to design and implement quantum algorithms before actually running on quantum computers. Because quantum computing is counterintuitive and radically different from classical computing, the likelihood of errors in quantum algorithms and circuits is much higher than in classical algorithms. Therefore, it is critical to verify that quantum circuits (or algorithms) enjoy desired properties.
Model checking is a formal verification technique widely used in both academia and industry to systematically verify that systems satisfy desired properties. Quantum programs and quantum circuits are related concepts, but they differ in their level of abstraction and the way they represent quantum computations. Quantum circuits are lowlevel representations of quantum computation that can be used to implement quantum programs, while quantum programs are higherlevel representations of quantum computations that can be expressed in a quantum programming language consisting of a series of instructions, especially the loop instruction. Although there are some model checkers dedicated to quantum programs, such as Gay, Nagarajan & Papanikolaou (2008), Feng, Yu & Ying (2013) and Feng et al. (2015) (see Ying & Feng (2018), Ying & Feng (2021), Turrini (2022) for more details), there is still a gap between model checking quantum programs and quantum circuits due to different representations and no iteration in quantum circuits, which should be filled in. Moreover, because the verification of classical circuits using model checking has been proven to be a tremendously successful technique, model checking that quantum circuits satisfy desired properties would be a promising approach. There is a symbolic approach proposed by Shi et al. (2021) to (semi)automatically reasoning about quantum circuits in Coq (https://coq.inria.fr/), an interactive theorem prover, but it often requires human users to provide necessary lemmas to complete its proofs.
This article presents a symbolic approach to model checking quantum circuits using a set of laws from quantum mechanics and basic matrix operations with Dirac notation proposed by Dirac (1939). Concretely, quantum states, quantum gates, and measurements are described in Dirac notation instead of using explicitly complex vectors and matrices as proposed by Paykin, Rand & Zdancewic (2017), making our representations more compact. Using the set of laws, we can systematically reason about the evolution of quantum states. We use Maude introduced by Clavel et al. (2007), a highlevel specification/programming language based on rewriting logic presented by Meseguer (2012), to specify quantum states, some basic quantum gates (e.g., Hadamard gate, controlledNOT gate, and Pauli gates), and measurements on a standard basis with Dirac notation. Maude is equipped with a linear temporal logic (LTL) model checker and its reflective programming (or metaprogramming) facilities have been used to develop several software tools, such as MaudeNPA introduced by Escobar, Meadows & Meseguer (2007), its parallel version developed by Do et al. (2022), and a toolset of some parallel versions of the LTL model checker presented by Do et al. (2021), Do, Phyo & Ogata (2022), Do et al. (2023) and Phyo et al. (2023). Therefore, Maude makes it possible/convenient to implement our idea and carry out case studies. This is why we adopt Maude for the research described in the article.
As case studies, we focus on using our approach to formally specify several quantum communication protocols in the early work of quantum communication and formally verify their correctness: Superdense Coding introduced by Bennett & Wiesner (1992), Quantum Teleportation presented by Bennett et al. (1993), Quantum Secret Sharing developed by Hillery, Bužek & Berthiaume (1999), Entanglement Swapping proposed by Zukowski et al. (1993), Quantum Gate Teleportation suggested by Gottesman & Chuang (1999), Two Mirrorimage Teleportation devised by Williams (2008), and Quantum Network Coding originated by Satoh, Gall & Imai (2012). In this article, we use eventual properties, a class of liveness properties, to express the desired properties for these quantum communication protocols. In addition to the desired properties, any properties that can be expressed in the scope of LTL can essentially be verified using the Maude LTL model checker with our approach. In this article, we do not directly tackle quantum circuits for complicated quantum algorithms, such as Shor (1994) and Grover (1996) because necessary quantum gates have not been developed yet and our symbolic reasoning for complex numbers is not sufficient to describe and reason about their behaviors adequately. Therefore, extending our approach to handle these algorithms would require further research, which would be one piece of our future work. Our specification is specifically tailored to quantum circuits, abstracting away from the details of concurrency and communication. To handle quantum cryptography, such as BB84 introduced by Bennett & Brassard (2014) and B91 introduced by Ekert (1991), we need to be able to express concurrency and communication among participants in quantum protocols in our specification. Therefore, extending our approach to handle such quantum protocols would require further research, which would be one piece of our future work.
We demonstrate that our approach/implementation can be a first step toward a general framework to formally specify and verify quantum circuits. The proposed way to formally specify a quantum circuit makes it possible to describe the quantum circuit in Maude such that the formal specification can be regarded as a series of quantum gate/measurement applications. Once a quantum circuit has been formally specified in the proposed way together with an initial state and a desired property expressed in LTL, the proposed model checking technique utilizes a builtin Maude LTL model checker to automatically conduct formal verification that the quantum circuit enjoys the property starting from the initial state. Moreover, our specification considers the probabilities from measurements in quantum computation based on which the probability of a computation occurring is accumulated across states and so we are able to analyze both the quantitative and qualitative properties^{1} of several quantum communication protocols with the builtin LTL model checker in Maude. Our implementation is publicly available at https://doi.org/10.5281/zenodo.10783951.
The present article is an extended and improved version of our conference article presented by Do & Ogata (2023) with some improvements as follows:

We fully support Pauli gates in our specification and some additional gates, including S, T, CY, CZ, SW AP, CCY, CCZ, and CSW AP gates. Moreover, the symbolic reasoning is refined and improved in order to conduct more case studies.

We verify some more quantum communication protocols: Superdense Coding, Quantum Secret Sharing, Entanglement Swapping, Quantum Gate Teleportation, Two Mirrorimage Teleportation, and Quantum Network Coding in order to demonstrate the usefulness of our approach for formally specifying and verifying quantum circuits in Maude.

We identify that the original version of Quantum Gate Teleportation does not satisfy its desired property using our approach and support tool. We then propose a revised version of the protocol and verify that the revised one satisfies its desired property using our approach and support tool.

Lastly, we describe how we specify complex numbers in Maude to symbolically reason on complex numbers with rational numbers for our case studies.
The rest of the article is organized as follows: ‘Preliminaries’ explains basic quantum mechanics and Kripke structures; ‘Rewriting Logic and Quantum Circuits’ explains how we can associate a rewrite theory with a quantum circuit via a Kripke structure; ‘Symbolic Reasoning’ describes how to construct terms and use a set of laws from quantum mechanics and matrix operations for symbolic reasoning using our approach; ‘Formal Specification’ details how to specify qubits, gates, measurements, and then quantum circuits in order to symbolically model check quantum circuits in a generic way; ‘Symbolic Model Checking’ demonstrates how to use our symbolic approach to model checking several quantum communication protocols in depth; ‘Remark on Quantum Gate Teleportation’ provides a remark on Quantum Gate Teleportation; ‘Experimental Results’ presents our experimental results; ‘Discussion’ discusses our limitations, some challenges in using the Maude LTL model checker, a classical model checker, to verify quantum circuits, and how we address them in this article; ‘Related Work’ reviews some existing work; and ‘Conclusion’ concludes the article with some pieces of future work.
Preliminaries
This section briefly describes some basic notations from quantum mechanics based on linear algebra (refer to Nielsen & Chuang (2010) for more details) and Kripke structures.
Basic quantum mechanics
This section describes basic quantum mechanics based on the linear algebra approach. In classical computing, the fundamental unit of information is a bit whose value is either 0 or 1. In quantum computing, the counterpart is a quantum bit or qubit, which has two basis states, conventionally written in Dirac notation proposed by Dirac (1939) as 0〈.〉 and 1〈.〉, which denote two column vectors $\left(\begin{array}{c}\hfill 1\hfill \\ \hfill 0\hfill \end{array}\right)$ and $\left(\begin{array}{c}\hfill 0\hfill \\ \hfill 1\hfill \end{array}\right)$, respectively. In quantum theory, a general state of a quantum system is a superposition or linear combination of basis states. A single qubit has state ψ〈.〉 = α0〈.〉 + β1〈.〉, where α and β are complex numbers such that α^{2} + β^{2} = 1. States can be represented by column complex vectors as follows:
$\psi \u3008.\u3009=\left(\begin{array}{c}\hfill \alpha \hfill \\ \hfill \beta \hfill \end{array}\right)=\alpha \mathbf{0}\u3008.\u3009+\beta \mathbf{1}\u3008.\u3009$,
where {0〈.〉, 1〈.〉} forms an orthonormal basis of the twodimensional complex vector space. Formally, a quantum state is a unit vector in a Hilbert space $\mathcal{H}$, which is equipped with an inner product satisfying some axioms.
The basis {0〈.〉, 1〈.〉} is called the standard basis. Besides, we have some other bases of interest, such as the diagonal (or dual, or Hadamard) basis consisting of the following vectors:
$+\u3008.\u3009=\frac{1}{\sqrt{2}}\left(\mathbf{0}\u3008.\u3009+\mathbf{1}\u3008.\u3009\right)$ and $\u3008.\u3009=\frac{1}{\sqrt{2}}\left(\mathbf{0}\u3008.\u3009\mathbf{1}\u3008.\u3009\right)$.
The evolution of a closed quantum system can be performed by a unitary transformation. If the state of a qubit is represented by a column vector, then a unitary transformation can be represented by a complexvalue matrix U such that UU^{†} = U^{†}U = I or U^{†} = U^{−1}, where U^{†} is the conjugate transpose of U. U acts on the Hilbert space $\mathcal{H}$ transforming a state ψ〈.〉 to a state ψ′〈.〉 by a matrix multiplication such that ψ′〈.〉 = Uψ〈.〉. There are some common quantum gates: the identity gate I, the Pauli gates X, Y, and Z, the Hadamard gate H, and the controlledNOT gate CX. Note that the CX gate performs on two qubits, while the remaining gates perform on a single qubit.
For example, the Hadamard gate on a single qubit performs the mapping $\mathbf{0}\u3008.\u3009\mapsto \frac{1}{\sqrt{2}}\left(\mathbf{0}\u3008.\u3009+\mathbf{1}\u3008.\u3009\right)$ and $\mathbf{1}\u3008.\u3009\mapsto \frac{1}{\sqrt{2}}\left(\mathbf{0}\u3008.\u3009\mathbf{1}\u3008.\u3009\right)$. The controlledNOT gate on pairs of qubits performs the mapping 00〈.〉↦00〈.〉, 01〈.〉↦01〈.〉, 10〈.〉↦11〈.〉, 11〈.〉↦10〈.〉, which can be understood as inverting the second qubit (referred to as the target) if and only if the first qubit (referred to as the control) is 1. The common quantum gates are shown in Table 1 by names, circuit forms, and matrix representations, where i is the imaginary unit.
Operator  Gate  Matrix 

Identity (I_{2})  $\left(\begin{array}{c}\hfill 10\hfill \\ \hfill 01\hfill \end{array}\right)$  
PauliX (X)  $\left(\begin{array}{c}\hfill 01\hfill \\ \hfill 10\hfill \end{array}\right)$  
PauliY (Y)  $\left(\begin{array}{c}\hfill 0i\hfill \\ \hfill i0\hfill \end{array}\right)$  
PauliZ (Z)  $\left(\begin{array}{c}\hfill 10\hfill \\ \hfill 01\hfill \end{array}\right)$  
Hadamard (H)  $\frac{1}{\sqrt{2}}\left(\begin{array}{c}\hfill 11\hfill \\ \hfill 11\hfill \end{array}\right)$  
ControlledNOT (CX) (the first and second wires denote the control and target qubits, respectively)  $\left(\begin{array}{c}\hfill 1000\hfill \\ \hfill 0100\hfill \\ \hfill 0001\hfill \\ \hfill 0010\hfill \end{array}\right)$ 
A quantum measurement is described as a collection {M_{m}} of measurement operators, where the indices m refer to the measurement outcomes. It is required that the measurement operators satisfy ${\sum}_{m}{\mathit{M}}_{m}^{\u2020}{\mathit{M}}_{m}={\mathit{I}}_{\mathcal{H}}$. If the state of a quantum system is ψ〈.〉 before the measurement, then the probability for the result m is as follows:
$p\left(m\right)=\u3008\psi \left{\mathit{M}}_{m}^{\u2020}{\mathit{M}}_{m}\right\psi \u3009$,
where 〈〉.ψ is the dual of ψ〈.〉 such that 〈〉.ψ† = ψ〈.〉 and ψ〈.〉† = 〈〉.ψ. The state of the quantum system after the measurement is $\frac{{\mathit{M}}_{m}\psi \u3008.\u3009}{\sqrt{p\left(m\right)}}$ provided that p(m) > 0. For example, if a qubit is in state α0〈.〉 + β1〈.〉 and measuring with {M_{0}, M_{1}} operators, we have the result 0 with probability α^{2} at the postmeasurement state 0〈.〉 and the result 1 with probability β^{2} at the postmeasurement state 1〈.〉, where M_{0} = 0〈.〉 × 〈〉.0 and M_{1} = 1〈.〉 × 〈〉.1. The quantum measurement with {M_{0}, M_{1}} operators is called the binary projective measurement. In this study, we only use the binary projective measurement and its circuit form is depicted in Fig. 1 as follows:
For multiple qubits, we use the tensor product of Hilbert spaces. Let ${\mathcal{H}}_{1}$ and ${\mathcal{H}}_{2}$ be two Hilbert spaces. Their tensor product ${\mathcal{H}}_{1}\otimes {\mathcal{H}}_{2}$ is defined as a vector space consisting of linear combinations of the vectors ψ_{1}ψ_{2}〈.〉 = ψ_{1}〈.〉ψ_{2}〈.〉 = ψ_{1}〈.〉⊗ψ_{2}〈.〉, where ${\psi}_{1}\u3008.\u3009\in {\mathcal{H}}_{1}$ and ${\psi}_{2}\u3008.\u3009\in {\mathcal{H}}_{2}$. Systems of two or more qubits may be in entangled states, meaning that states of qubits are correlated and inseparable. For example, we consider a measurement of the first qubit of the entangled state $\frac{1}{\sqrt{2}}\left(\mathbf{00}\u3008.\u3009+\mathbf{11}\u3008.\u3009\right)$. The result is either 0 with probability $\frac{1}{2}$ leaving its state 00〈.〉 or 1 with probability $\frac{1}{2}$ leaving its state 11〈.〉. In either case, a subsequent measurement of the second qubit gives a nonprobabilistic result, which is immediate to the result of the first measurement before. Entanglement shows that an entangled state of two qubits cannot be expressed as a tensor product of singlequbit states. We can use H and CX gates to create entangled states as follows: $\mathit{CX}\left(\left(\mathit{H}\otimes \mathit{I}\right)\mathbf{00}\u3008.\u3009\right)=\frac{1}{\sqrt{2}}\left(\mathbf{00}\u3008.\u3009+\mathbf{11}\u3008.\u3009\right)$.
Kripke structures
A Kripke structure K is a tuple 〈S, I, T, A, L〉 as represented by Clarke et al. (2018), where S is a set of states, I⊆S is the set of initial states, T⊆S × S is a lefttotal binary relation over S, A is a set of atomic propositions, and L is a labeling function whose type is S → 2^{A}. Each element (s, s′) ∈ T is called a state transition from s to s′ and T may be called the state transitions (with respect to K). For a state s ∈ S, L(s) is the set of atomic propositions that hold in s. A path π is an infinite sequence s_{0}, …, s_{i}, s_{i+1}, … such that s_{i} ∈ S and (s_{i}, s_{i+1}) ∈ T for each i. We use the following notations for paths: π^{i}≜s_{i}, s_{i+1}, …, π_{i}≜s_{0}, …, s_{i}, s_{i}, s_{i}, …, π(i)≜s_{i}, where ≜ is used as “be defined as.” π^{i} is obtained by deleting the first i states s_{0}, s_{1}, …, s_{i−1} from π. π_{i} is obtained by taking the first i + 1 states s_{0}, s_{1}, …, s_{i−1}, s_{i} and adding s_{i} unboundedly many times at the end. π(i) is the ith state s_{i}. Let $\mathcal{P}$ be the set of all paths. π is called a computation if π(0) ∈ I. Let $\mathcal{C}$ be the set of all computations.
The syntax of a formula φ in LTL for K is as follows:
$\phi :=\top \phantom{\rule{0.25em}{0ex}}\left\phantom{\rule{0.25em}{0ex}}p\phantom{\rule{0.25em}{0ex}}\right\phantom{\rule{0.25em}{0ex}}\neg \phi \phantom{\rule{0.25em}{0ex}}\phantom{\rule{0.25em}{0ex}}\phi \wedge \phi \phantom{\rule{0.25em}{0ex}}\phantom{\rule{0.25em}{0ex}}\u25cb\phi \phantom{\rule{0.25em}{0ex}}\phantom{\rule{0.25em}{0ex}}\phi \phantom{\rule{0.25em}{0ex}}\mathcal{U}\phi $
where p ∈ A, and $\u25cb$ and $\mathcal{U}$ are called the next temporal connective and the until temporal connective, respectively. We introduce the eventual temporal abbreviation ♢ which is defined as follows:

$\u2662\phi \triangleq \top \phantom{\rule{0.25em}{0ex}}\mathcal{U}\phantom{\rule{0.25em}{0ex}}\phi $
This eventual temporal abbreviation is also used in Clarke et al. (2018).
Let $\mathcal{F}$ be the set of all formulas in LTL for K. Given an arbitrary path $\pi \in \mathcal{P}$ of K and an arbitrary LTL formula $\phi \in \mathcal{F}$ of K, K, π⊧φ is inductively defined as follows:

K, π⊧⊤

K, π⊧p iff p ∈ L(π(0))

K, π⊧¬φ_{1} iff K, π⁄⊧φ_{1}

K, π⊧φ_{1}∧φ_{2} iff K, π⊧φ_{1} and K, π⊧φ_{2}

$K,\pi \vDash \u25cb{\phi}_{1}$ iff K, π^{1}⊧φ_{1}

$K,\pi \vDash {\phi}_{1}\phantom{\rule{0.25em}{0ex}}\mathcal{U}{\phi}_{2}$ iff there exists a natural number i such that K, π^{i}⊧φ_{2} and for all natural numbers j < i, K, π^{j}⊧φ_{1}
where φ_{1} and φ_{2} are LTL formulas. Then, K⊧φ iff K, π⊧φ for each computation $\pi \in \mathcal{C}$ of K.
In this article, we refer to ♢φ as eventual properties, which informally state that something will eventually happen. Termination or halting is one important system requirement that many systems should satisfy and can be expressed in LTL as an eventual property. Moreover, we aim to verify whether quantum circuits satisfy certain desired properties where something good eventually happens. For example, a qubit at the final state for each possible execution path is the same as another qubit at the initial state with a nonzero probability. Therefore, it is worthwhile to use eventual properties to express desired properties for our case studies under verification. For more details, the reader is referred to ‘Symbolic Model Checking’ to see how we express the desired properties for our case studies as eventual properties.
Rewriting Logic and Quantum Circuits
This section describes how we can associate a rewrite theory with a quantum circuit via a Kripke structure at a conceptual level, enabling the use of LTL model checking to verify that the quantum circuit enjoys a desired property.
A rewrite theory $\mathcal{R}$ is a triple (Σ, E, R), where

Σ is an ordersorted signature consisting of a set of sorts, subsorts, and function symbols,

(Σ, E) forms an ordersorted equational theory with E being a collection of (possibly conditional) equations t = t′,

R is a collection of (possibly conditional) rewrite rules l → r.
Terms are built from variables, constants, and function symbols from Σ, and each term has a sort. The equations in E are used to reduce a term into a normal form, while the rewrite rules in R modulo E are used to make local transitions in systems, making it possible to rewrite one term to another term. We can associate a Kripke structure K = 〈S, I, T, A, L〉 to a rewrite theory $\mathcal{R}=\left(\Sigma ,E,R\right)$ as presented in Clavel et al. (2007, Chapter 13). In short, each term t in $\mathcal{R}$ can be regarded as a state s ∈ S in K; and each rewriting step from t to t′ can be regarded as a state transition (s, s′) ∈ T in K, where t and t′ are terms of the same sort with their corresponding states s, s′ ∈ S. A and L are not necessary parts of $\mathcal{R}$ and can be specified later in terms of constants and equations, respectively, to determine whether atomic propositions are true at a given state.
A quantum circuit can be described as a series of applications of quantum gates, measurements, and conditional gates, which are applied based on the outcomes of measurements. The input of a quantum circuit is a quantum state, and so is the output. The input and the output of a quantum circuit can be regarded as the initial state and the final state belonging to S in K, where the initial state also belongs to I in K. Therefore, a quantum state can be specified as a term in the rewrite theory $\mathcal{R}$. The application of quantum gates manipulates a quantum state to perform quantum computation, which is specified in terms of equations in $\mathcal{R}$ so that we can reason about quantum computation. The application of a quantum gate can be regarded as a deterministic state transition in K since it transforms a quantum state into another quantum state. As a result, the application of a quantum gate can be specified by a rewrite rule in $\mathcal{R}$. Besides quantum gates, we can conduct a measurement on a quantum state to obtain classical outcomes based on which other quantum actions (e.g., quantum gates) can take place. As mentioned before, we are only interested in the binary projective measurement in this article. Therefore, the application of a measurement can be regarded as a nondeterministic state transition in K since the measurement may make a quantum state collapse into one of two different possibilities of quantum states with probabilities. As a result, the application of a measurement can be specified by two rewrite rules in $\mathcal{R}$. Note that there are only two rewrite rules for quantum measurements, while there are as many rewrite rules as the number of quantum gates supported by the rewrite theory $\mathcal{R}$. If the equations in $\mathcal{R}$ are sufficient to reason about any quantum computation and the rewrite rules in $\mathcal{R}$ support sufficient quantum gates, the rewrite theory $\mathcal{R}$ can simulate the behavior of any quantum circuit, making it applicable in a generic sense.
Given a concrete quantum circuit described as a series of quantum gates, quantum measurement, and conditional gates, along with an initial quantum state, the rewrite theory $\mathcal{R}$ can simulate the behavior of the quantum circuit by addressing all possible execution paths starting from the initial quantum state. We can associate K with $\mathcal{R}$ so as to conduct LTL model checking and verify that the quantum circuit satisfies a desired property. The desired property of the quantum circuit can be constructed based on the atomic propositions (regarded as state predicates) within the scope of LTL language. For each possible execution path, we can examine each quantum state and check which atomic propositions hold at the state. Thus, LTL model checking can verify whether the quantum circuit satisfies the desired property.
Symbolic Reasoning
This section introduces some terms used in our symbolic reasoning and a set of laws used to reduce terms. The “symbolic” word means that we use braket notation, which means 〈〉.ψ and ψ〈.〉, instead of explicitly complex vectors and matrices as proposed by Paykin, Rand & Zdancewic (2017), which makes our representations more compact. Moreover, we can deal with not only concrete values but also symbolic values (representing arbitrary values) for complex numbers reasoning.
Terms
Terms are built from scalars and basic vectors with some operations.

Scalars are complex numbers. We extend rational numbers supported in Maude to deal with complex numbers. Some operations for scalars, such as multiplication, division, addition, conjugation, absolute, power, and square roots are specified. The reader who is interested in how to specify complex numbers in Maude is referred to Appendix A.

Basic vectors are the ones of the standard basis written in Dirac notation as 0〈.〉 and 1〈.〉.

Operations for matrices consist of scalar multiplication ⋅, matrix product ×, matrix addition +, tensor product ⊗, and the conjugate transpose A^{†} of a matrix A.
In Dirac notation, 〈〉.0 is the dual of 0〈.〉 such that 〈0^{†} = 0〉 and 0〈.〉^{†} = 〈〉.0; similarly for 〈〉.1. The terms j〈.〉 × 〈〉.k and the inner product of ket vectors j〈.〉 and k〈.〉 may be written shortly as j〈.〉〈〉.k and 〈j〉k for any j, k ∈ {0, 1}. By using these notations, we can intuitively explain how quantum operations work. For example, the X gate performs mapping 0〈.〉↦1〈.〉 and 1〈.〉↦0〈.〉. Therefore, we specify the X gate as 0〈.〉〈1 + 1〉〈〉.0 in Maude instead of using explicitly the matrix representation $\left(\begin{array}{cc}\hfill 0\hfill & \hfill 1\hfill \\ \hfill 1\hfill & \hfill 0\hfill \end{array}\right)$. We have X0〈.〉 = 1〈.〉〈〉.00〈.〉 + 0〈.〉〈〉.10〈.〉 = 1〈.〉 because of laws L1 and L3 in Table 2 and similarly for X1〈.〉 = 0〈.〉.
No.  Law 

L1  〈00〉 = 〈11〉 = 1, 〈10〉 = 〈01〉 = 0 
L2  Associativity of ×, + , ⊗ and Commutativity of + 
L3  0⋅A_{m×n} = O_{m×n}, c⋅O = O, 1⋅A = A 
L4  c⋅(A + B) = c⋅A + c⋅B 
L5  c_{1}⋅A + c_{2}⋅A = (c_{1} + c_{2})⋅A 
L6  c_{1}⋅(c_{2}⋅A) = (c_{1}⋅c_{2})⋅A 
L7  (c_{1}⋅A) × (c_{2}⋅B) = (c_{1}⋅c_{2})⋅(A × B) 
L8  A × (c⋅B) = (c⋅A) × B = c⋅(A × B) 
L9  A⊗(c⋅B) = (c⋅A)⊗B = c⋅(A⊗B) 
L10  O_{m×n} × A_{n×p} = A_{m×n} × O_{n×p} = O_{m×p} 
L11  I_{m} × A_{m×n} = A_{m×n} × I_{n} = A_{m×n} 
L12  A + O = O + A = O 
L13  O_{m×n}⊗A_{p×q} = A_{p×q}⊗O_{m×n} = O_{mp×nq} 
L14  A × (B + C) = A × B + A × C 
L15  (A + B) × C = A × C + B × C 
L16  (A⊗B) × (C⊗D) = (A × C)⊗(B × D) 
L17  A⊗(B + C) = A⊗B + A⊗C 
L18  (A + B)⊗C = A⊗C + B⊗C 
L19  (c⋅A)^{†} = c^{∗}⋅A^{†}, (A × B)^{†} = B^{†} × A^{†} 
L20  (A + B)^{†} = A^{†} + B^{†}, (A⊗B)^{†} = A^{†}⊗B^{†} 
L21  ${\mathit{I}}_{m}^{\u2020}={\mathit{I}}_{m},{\mathit{O}}_{m\times n}^{\u2020}={\mathit{O}}_{n\times m},{\left({\mathit{A}}^{\u2020}\right)}^{\u2020}=\mathit{A}$ 
L22  0〈.〉† = 〈〉.0, 〈〉.0† = 0〈.〉, 1〈.〉† = 1〈.〉, 〈〉.1† = 1〈.〉 
We conventionally specify some basic matrices B_{i} for i ∈ [0..3] as follows:
B_{0} = 0〈.〉 × 〈〉.0, B_{1} = 0〈.〉 × 〈〉.1, B_{2} = 1〈.〉 × 〈〉.0, B_{3} = 1〈.〉 × 〈〉.1.
The X, Y, Z, CX, and H gates are then a linear combination of the matrices B_{i} as follows:
X = B_{1} + B_{2}, Y = (−i)⋅B_{1} + i⋅B_{2}, Z = B_{1} + (−1)⋅B_{3},
CX = B_{0}⊗I_{2} + B_{3}⊗X, $\mathit{H}=\frac{1}{\sqrt{2}}\cdot {\mathit{B}}_{0}+\frac{1}{\sqrt{2}}\cdot {\mathit{B}}_{1}+\frac{1}{\sqrt{2}}\cdot {\mathit{B}}_{2}+\left(\frac{1}{\sqrt{2}}\right)\cdot {\mathit{B}}_{3}$.
Laws
We use a set of laws in Table 2 derived from the properties of quantum mechanics and basic matrix operations, and thus, they are immediately sound. The reader who is interested in their proofs in Coq is referred to Shi et al. (2021). Because 0〈.〉 and 1〈.〉 can be viewed as 2 × 1 matrices, then the laws actually describe matrix calculations with Dirac notation, zero and identity matrices, and scalars. These laws are described by equations in Maude and are used to automatically reduce terms until no more matrix operation is applicable. Some laws dedicated to simplifying the expressions about complex numbers are also specified in Maude by means of equations, but we do not mention them here for brevity.
For example, we would like to reduce the term CX × ((H⊗I) × 0〈.〉⊗0〈.〉) to check whether its result is $\frac{1}{\sqrt{2}}\cdot \mathbf{0}\u3008.\u3009\otimes \mathbf{0}\u3008.\u3009+\frac{1}{\sqrt{2}}\cdot \mathbf{1}\u3008.\u3009\otimes \mathbf{1}\u3008.\u3009$. The term says that the H gate acts on the first qubit followed by the CX gate where the control and target bits are the first and second qubits, respectively. The simplification of the term goes as follows: $\mathit{H}\times \mathbf{0}\u3008.\u3009$ $=\left(\frac{1}{\sqrt{2}}\cdot {\mathit{B}}_{0}+\frac{1}{\sqrt{2}}\cdot {\mathit{B}}_{1}+\frac{1}{\sqrt{2}}\cdot {\mathit{B}}_{2}+\left(\frac{1}{\sqrt{2}}\right)\cdot {\mathit{B}}_{3}\right)\times \mathbf{0}\u3008.\u3009\left(\text{byreplacementof}\phantom{\rule{0.25em}{0ex}}\mathit{H}\right)$ $=\frac{1}{\sqrt{2}}\cdot {\mathit{B}}_{0}\times \mathbf{0}\u3008.\u3009+\frac{1}{\sqrt{2}}\cdot {\mathit{B}}_{1}\times \mathbf{0}\u3008.\u3009+\frac{1}{\sqrt{2}}\cdot {\mathit{B}}_{2}\times \mathbf{0}\u3008.\u3009+\left(\frac{1}{\sqrt{2}}\right)\cdot {\mathit{B}}_{3}\times \mathbf{0}\u3008.\u3009\left(\text{bylawL15}\right)$ $=\frac{1}{\sqrt{2}}\cdot \mathbf{0}\u3008.\u3009\times \u3008\mathbf{0}\times \mathbf{0}\u3009+\frac{1}{\sqrt{2}}\cdot \mathbf{0}\u3008.\u3009\times \u3008\mathbf{1}\times \mathbf{0}\u3009+\frac{1}{\sqrt{2}}\cdot \mathbf{1}\u3008.\u3009\times \u3008\mathbf{0}\times \mathbf{0}\u3009+\left(\frac{1}{\sqrt{2}}\right)\cdot \mathbf{1}\u3008.\u3009\times \u3008\mathbf{1}\times \mathbf{0}\u3009\left(\text{by replacements of}\phantom{\rule{0.25em}{0ex}}{\mathit{B}}_{0},{\mathit{B}}_{1},{\mathit{B}}_{2},\text{and}\phantom{\rule{0.25em}{0ex}}{\mathit{B}}_{3}\right)$ $=\frac{1}{\sqrt{2}}\cdot \mathbf{0}\u3008.\u3009+\frac{1}{\sqrt{2}}\cdot \mathbf{1}\u3008.\u3009\left(\text{by law L1}\right)$ $\left(\mathit{H}\otimes \mathit{I}\right)\times \left(\mathbf{0}\u3008.\u3009\otimes \mathbf{0}\u3008.\u3009\right)$ $=\left(\mathit{H}\times \mathbf{0}\u3008.\u3009\right)\otimes \left(\mathit{I}\times \mathbf{0}\u3008.\u3009\right)\left(\text{by law L16}\right)$ $=\left(\frac{1}{\sqrt{2}}\cdot \mathbf{0}\u3008.\u3009+\frac{1}{\sqrt{2}}\cdot \mathbf{1}\u3008.\u3009\right)\otimes \mathbf{0}\u3008.\u3009\left(\text{by the result of}\phantom{\rule{0.25em}{0ex}}\mathit{H}\times \mathbf{0}\u3008.\u3009\phantom{\rule{0.25em}{0ex}}\text{and law L11}\right)$ $=\frac{1}{\sqrt{2}}\cdot \mathbf{0}\u3008.\u3009\otimes \mathbf{0}\u3008.\u3009+\frac{1}{\sqrt{2}}\cdot \mathbf{1}\u3008.\u3009\otimes \mathbf{0}\u3008.\u3009\left(\text{by law L18}\right)$ $\mathit{CX}\times \left(\left(\mathit{H}\otimes \mathit{I}\right)\times \left(\mathbf{0}\u3008.\u3009\otimes \mathbf{0}\u3008.\u3009\right)\right)$ $=\left({\mathit{B}}_{0}\otimes \mathit{I}+{\mathit{B}}_{3}\otimes \mathit{X}\right)\times \left(\frac{1}{\sqrt{2}}\cdot \mathbf{0}\u3008.\u3009\otimes \mathbf{0}\u3008.\u3009+\frac{1}{\sqrt{2}}\cdot \mathbf{1}\u3008.\u3009\otimes \mathbf{0}\u3008.\u3009\right)\left(\text{by replacement of}\phantom{\rule{0.25em}{0ex}}\mathit{CX},\text{and the result of}\phantom{\rule{0.25em}{0ex}}\left(\mathit{H}\otimes \mathit{I}\right)\times \left(\mathbf{0}\u3008.\u3009\otimes \mathbf{0}\u3008.\u3009\right)\right)$ $=\left({\mathit{B}}_{0}\otimes \mathit{I}\right)\times \left(\frac{1}{\sqrt{2}}\cdot \mathbf{0}\u3008.\u3009\otimes \mathbf{0}\u3008.\u3009\right)+\left({\mathit{B}}_{0}\otimes \mathit{I}\right)\times \left(\frac{1}{\sqrt{2}}\cdot \mathbf{1}\u3008.\u3009\otimes \mathbf{0}\u3008.\u3009\right)+\left({\mathit{B}}_{3}\otimes \mathit{X}\right)\times \left(\frac{1}{\sqrt{2}}\cdot \mathbf{0}\u3008.\u3009\otimes \mathbf{0}\u3008.\u3009\right)+$ $\phantom{\rule{10.00002pt}{0ex}}{\mathit{B}}_{3}\otimes \mathit{X}\times \left(\frac{1}{\sqrt{2}}\cdot \mathbf{1}\u3008.\u3009\otimes \mathbf{0}\u3008.\u3009\right)\left(\text{by laws L14 and L15}\right)$ $=\frac{1}{\sqrt{2}}\cdot \left({\mathit{B}}_{0}\times \mathbf{0}\u3008.\u3009\right)\otimes \left(\mathit{I}\times \mathbf{0}\u3008.\u3009\right)+\frac{1}{\sqrt{2}}\cdot \left({\mathit{B}}_{0}\times \mathbf{1}\u3008.\u3009\right)\otimes \left(\mathit{I}\times \mathbf{0}\u3008.\u3009\right)+\frac{1}{\sqrt{2}}\cdot \left({\mathit{B}}_{3}\times \mathbf{0}\u3008.\u3009\right)\otimes \left(\mathit{X}\times \mathbf{0}\u3008.\u3009\right)+$ $\phantom{\rule{10.00002pt}{0ex}}\frac{1}{\sqrt{2}}\cdot \left({\mathit{B}}_{3}\times \mathbf{1}\u3008.\u3009\right)\otimes \left(\mathit{X}\times \mathbf{0}\u3008.\u3009\right)\left(\text{by laws L8, L9, and L16}\right)$ $=\frac{1}{\sqrt{2}}\cdot \mathbf{0}\u3008.\u3009\otimes \mathbf{0}\u3008.\u3009+\frac{1}{\sqrt{2}}\cdot \mathbf{1}\u3008.\u3009\otimes \mathbf{1}\u3008.\u3009\left(\text{by replacements of}\phantom{\rule{0.25em}{0ex}}{\mathit{B}}_{0},{\mathit{B}}_{3},\text{and}\phantom{\rule{0.25em}{0ex}}\mathit{X},\text{and laws L1, L11,}\text{and L15}\right)$
Using the laws, the term is reduced to a normal form that is a linear combination of the tensor product of the standard basis with scalars. The whole process is conducted automatically in Maude and the result is the same as expected. The key idea is to reduce the matrix multiplication in the form of 〈ij〉 into a scalar and simplify the matrix representation by absorbing ones and eliminating zeros (see law L3). In this manner, our symbolic reasoning about matrices can be conducted automatically by rewriting in Maude instead of explicitly calculating matrices.
Formal Specification
This section shows how we specify in Maude qubits, quantum gates, measurements, and then quantum circuits in order to symbolically model check quantum circuits in a generic way.
Maude specification of qubits, gates, and measurements
Qubits are specified in Maude as the linear combination of tensor product of the standard basis in Dirac notation with scalars and similarly for quantum gates. Because 0〈.〉 and 1〈.〉 can be viewed as 2 × 1 matrices, then qubits and quantum gates are basically matrices. Quantum gates act on qubits (a quantum state) specified in Maude as a matrix multiplication with a deterministic transition in Maude. In this article, we only consider binary projective measurements on the standard basis, and thus the measurement operators are {M_{0}, M_{1}}. A measurement of a single qubit in a quantum state is specified in Maude by two state transitions with probabilities p(m) for m ∈ {0, 1}, making a nondeterministic probabilistic transition. Each of the two transitions shows how its measurement operator acts on the single qubit in a state and is specified similarly as quantum gates, however, with respect to the probabilities.
A generic maude specification of quantum circuits
Quantum circuits are composed of a sequence of quantum gates, measurements, initializations of qubits, and possibly other actions. In this article, we consider the specification of the whole quantum state of a quantum circuit, the classical bits obtained from measurements, and the sequence of quantum gates, measurements, and conditional gates describing how a quantum circuit works. We then build Kripke structures for quantum circuits in order to conduct model checking that quantum circuits satisfy desired properties. Some essential elements are shared in the Kripke structures, making a first step toward a general framework for specifying and verifying quantum circuits.
Elements of quantum circuits
A whole quantum state of a quantum circuit is specified in Maude as a collection of qubits associated with indices in circuits, where each element is one of the forms as follows:

denotes a single qubit in state ψ〈.〉 at q_{i},(q[i]: ψ〈.〉)

denotes a single qubit in state ψ〈.〉 at q_{i}, denotes an entangled state in state ψ〈.〉 at q_{i}, ..., q_{j}, where the order of i, ..., j is relevant.(q[i,...,j]: ψ〈.〉)
Note that q_{i} and q_{j} denote the labels of quantum wires (refer to our circuits in ‘Symbolic Model Checking’ for more visualization), where i and j represent the indices of the qubits in the whole quantum state of a quantum circuit.
Classical bits are specified in Maude as a map from indices in circuits to Boolean values, where each entry is in the form of
(i ↦→ b)
, meaning that the value of the classical bit stored at c_{i} is b whose value is either 0 or 1.
A sequence of quantum gates, measurements, and conditional gates in a quantum circuit is specified in Maude as a list of actions in which each action is one of the forms as follows:

applies the I gate on q_{i},I(i)

applies the X gate on q_{i},X(i)

applies the Y gate on q_{i},Y(i)

applies the Z gate on q_{i},Z(i)

applies the H gate on q_{i},H(i)

applies the CX gate on q_{i} and q_{j},CX(i,j)

measures q_{i} with the standard basis,M(i)

?c[i] == b
checks if the classical bit at c_{i} equals b, then a listAL
of actions is executed.AL
Although our specification supports some additional gates, including S, T, CY, CZ, SWAP, CCY, CCZ, and CSWAP gates, we do not mention them here because the additional gates are not used for our case studies in this article. Note that those gates can form universal quantum gates, meaning that we may use those gates to describe universal quantum computation. However, we need to enhance our symbolic reasoning for complex numbers because its specification is not complete in this article. Based on the actions specified above, we can describe the circuits for several quantum communication protocols as shown in ‘Symbolic Model Checking’. The reader who is interested in how quantum computation works with our specification can refer to Appendix B for more details.
Kripke structures of quantum circuits
Let K be the Kripke structure specifying a quantum circuit. There are five kinds of observable components in our specification as follows:

represents the whole quantum state qs,(qstate: qs)

indicates the classical bits obtained from measurements and stored in a bit map bm,(bits: bm)

denotes the probability p at the current quantum state,(prob: p)

signifies the action list al, guiding us on how the circuit works,(actions: al)

designates termination with Boolean flag b.(isEnd: b)
Each state in S is expressed as {obs}, where obs is a collection of those observable components consisting of one
qstate
observable component, one
prob
observable component, one
bits
observable component, one
actions
observable component, and one
isEnd
observable component. Note that the whole quantum state denotes the quantum state of a quantum circuit, while each state in S denotes a state under model checking, which consists of not only the whole quantum state but also other necessary information for model checking.
The set T of transitions is specified in Maude by eleven rewrite rules in our specification. Let
OCs
be a Maude variable of observable component collections,
Q
and
Q’
be Maude variables of whole quantum states,
BM
be a Maude variable of bit maps,
Prob
and
Prob’
be Maude variables of scalars,
AL
and
AL’
be Maude variables of action lists,
B
be a Maude variable of Boolean values, and
N
,
N1
, and
N2
are Maude variables of natural numbers.
The first six rewrite rules are as follows:
rl [I] : {(qstate: Q) (actions: (I(N) AL)) OCs}
=> {(qstate: Q) (actions: AL) OCs} .
crl [X] : {(qstate: Q) (actions: (X(N) AL)) OCs}
=> {(qstate: Q’) (actions: AL) OCs}
if Q’ := (Q).X(N) .
crl [Y] : {(qstate: Q) (actions: (Y(N) AL)) OCs}
=> {(qstate: Q’) (actions: AL) OCs}
if Q’ := (Q).Y(N) .
crl [Z] : {(qstate: Q) (actions: (Z(N) AL)) OCs}
=> {(qstate: Q’) (actions: AL) OCs}
if Q’ := (Q).Z(N) .
crl [H] : {(qstate: Q) (actions: (H(N) AL)) OCs}
=> {(qstate: Q’) (actions: AL) OCs}
if Q’ := (Q).H(N) .
crl [CX] : {(qstate: Q) (actions: (CX(N1, N2) AL)) OCs
}
=> {(qstate: Q’) (actions: AL) OCs}
if Q’ := (Q).CX(N1, N2) .
The rules
I
,
X
,
Y
,
Z
,
H
, and
CX
simulate how the I, X, Y, Z, H, and CX gates act on the whole quantum state in the
qstate
observable component if its action appears in the
actions
observable component, respectively. In this specification, we consider the probabilities of measurements in quantum computation and so we can analyze not only qualitative properties but also quantitative properties for quantum circuits.
The next two rewrite rules are as follows:
crl [M0] : {(qstate: Q) (actions: (M(N) AL)) (prob:
Prob) (bits: BM) OCs}
=> {(qstate: Q’) (actions: AL) (prob: (Prob .* Prob’))
(bits: insert(N, 0, BM)) OCs}
if {qstate: Q’, prob: Prob’} := (Q).M(P0,N) .
crl [M1] : {(qstate: Q) (actions: (M(N) AL)) (prob:
Prob) (bits: BM) OCs}
=> {(qstate: Q’) (actions: AL) (prob: (Prob .* Prob’))
(bits: insert(N, 1, BM)) OCs}
if {qstate: Q’, prob: Prob’} := (Q).M(P1,N) .
The rules
M0
and
M1
say that we measure the qubit at index
N
with the measurement operators M_{0} and M_{1}, respectively; the classical outcomes are stored accordingly into the bit map in the
bits
observable component; the probabilities and the postmeasurement states are also updated in the
prob
and
qstate
observable components, respectively. These two rules make a nondeterministic probabilistic transition when measuring a single qubit.
The next rewrite rule describes how to conditionally perform the next actions based on classical bits obtained from measurements if applicable.
rl [cif]:
{(qstate: Q) (bits: ((N > N1),BM)) (actions: ((c[N]
== N2 ? AL’) AL)) OCs}
=> {(qstate: Q) (bits: ((N > N1), BM))
(actions: ((if (N1 == N2) then AL’ else nil fi) AL
)) OCs} .
This rule says that if
c[N] x== N2 ? AL’
is in the action list and the classical bit
N1
at index
N
equals the conditional value
N2
, then the action list
AL’
is prepended to the action list
AL
in the
actions
observable component to be executed next; otherwise, it is ignored.
The last two rules are as follows:
rl [end]: {(actions: nil) (isEnd: false) OCs}
=> {(actions: nil) (isEnd: true) OCs} .
rl [stutter]: {(isEnd: true) OCs}
=> {(isEnd: true) OCs} .
The rule
end
marks the termination if the action list is
nil
, meaning no more action. Meanwhile, the rule
stutter
is necessary to make T total when the
isEnd
observable component is true.
For Kripke structure K = 〈S, I, T, A, L〉 of a quantum circuit, we can reuse S and T, while I is required to define initial states, and A and L are required to define desired properties for the quantum circuit. Therefore, our specification can be a first step toward a general framework to formally specify and verify quantum circuits in Maude.
Symbolic Model Checking
We have used our symbolic approach to conduct model checking for several quantum communication protocols in the early stage of quantum communication:

Superdense Coding introduced by Bennett & Wiesner (1992) for transmitting two classical bits using an entangled state,

Quantum Teleportation presented by Bennett et al. (1993) for teleporting an arbitrary pure state by sending two bits of classical information,

Quantum Secret Sharing developed by Hillery, Bužek & Berthiaume (1999) for teleporting a pure state from a sender (Alice) to a receiver (Bob) with the help of a third party (Charlie),

Entanglement Swapping proposed by Zukowski et al. (1993) for creating a new entangled state,

Quantum Gate Teleportation suggested by Gottesman & Chuang (1999) for teleporting two arbitrary states through the controlledNOT gate,

Two Mirrorimage Teleportation devised by Williams (2008) for teleporting two arbitrary states,

Quantum Network Coding originated by Satoh, Gall & Imai (2012) for sending two entangled states simultaneously.
Superdense Coding is the simplest one that uses only two qubits; Quantum Teleportation uses three qubits; Quantum Secret Sharing proposed relying on the mechanism of Quantum Teleportation uses four qubits; Entanglement Swapping uses four qubits; Quantum Gate Teleportation uses six qubits; Two Mirrorimage Teleportation uses six qubits; and Quantum Network Coding uses ten qubits.
For the sake of simplicity, this section demonstrates how to use our symbolic approach to conduct model checking experiments for four quantum communication protocols: Superdense Coding, Quantum Teleportation, Quantum Secret Sharing, and Quantum Gate Teleportation. Meanwhile, other communication protocols are similar and the full specifications of all quantum communication protocols concerned in this article are publicly available at https://doi.org/10.5281/zenodo.10783951. For each case study, we only need to specify I, A, and L to model check that K satisfies desired properties, while S and T in K are reused as described in the previous section. In this section, we use
qstate(.)
and
qubitAt(.)
as two functions to get the whole quantum state from a state in S and to get a single qubit at some index from the whole quantum state, respectively, where the symbol
.
denotes its parameter. It is important to note that we use quantum circuits to represent the quantum communication protocols. Therefore, sending or receiving classical bits obtained from the measurement outcomes will be abstracted away. However, in the following introduction of each protocol, we describe how the protocol works, assuming that participants can communicate with each other (e.g., Alice can send a classical bit to Bob). This makes it easier for the reader to understand how each protocol works.
Superdense coding
Introduction
Superdense Coding (SC) introduced by Bennett & Wiesner (1992) takes advantage of entanglement in quantum mechanics to send two classical bits from Alice to Bob using just a pair of entangled qubits. Figure 2 depicts the circuit for Superdense Coding. The single wires denote qubits referred to as q_{i}, while the double wires denote classical bits referred to as c_{i}. Alice acts on q_{0} while Bob acts on q_{1} as follows:

First, q_{0} are q_{1} are initially in the basic state 0〈.〉. We need to prepare an entangled state between q_{0} and q_{1} by applying the sequence of the H gate on q_{0} and the CX gate on q_{0} and q_{1}. The entangled state is shared between Alice and Bob using a quantum channel, where q_{0} and q_{1} are manipulated by Alice and Bob, respectively.

Second, Alice needs to send two classical bits x and y, where x, y ∈ {0, 1}, as depicted in Fig. 2. Depending on the values of x and y that Alice wants to send to Bob, Alice will apply the σ_{i} gate on q_{0}, where i = y + x∗(2 + (−1)^{y}) ranging over {0, 1, 2, 3} and σ_{0}, σ_{1}, σ_{2}, and σ_{3} are I, X, Y, Z gates, respectively.

Third, we then apply the sequence of the CX gate on q_{0} and q_{1}, and the H gate on q_{0}.

Fourth, we measure the qubits q_{0} and q_{1}, and immediately obtain two classical outcomes (0 or 1) stored in c_{0} and c_{1}, respectively.
At the end, the pair (c_{0}, c_{1}) of classical bits obtained from Bob is expected to be the same as the pair (x, y) of classical bits sent by Alice. We would like to verify the correctness of Superdense Coding by using our symbolic model checking.
Specification of superdense coding
Regarding the actions specified in ‘Formal Specification’, we can describe the circuit for Superdense Coding with different values of classical bits used for (x, y) as follows:

(x, y) = (0, 0) with σ_{0} = I: H(0) CX(0, 1) I(0) CX(0, 1) H(0) M(0) M(1)

(x, y) = (0, 1) with σ_{1} = X: H(0) CX(0, 1) X(0) CX(0, 1) H(0) M(0) M(1)

(x, y) = (1, 1) with σ_{2} = Y: H(0) CX(0, 1) Y(0) CX(0, 1) H(0) M(0) M(1)

(x, y) = (1, 0) with σ_{3} = Z: H(0) CX(0, 1) Z(0) CX(0, 1) H(0) M(0) M(1)
Let I_{SC} be the set of initial states for Superdense Coding. It consists of four initial states corresponding to the four possible values used for (x, y) as follows:
{(isEnd: false)
(prob: 1)
(qstate: (q[0]: 0>) (q[1]: 0>))
(bits: empty)
(actions: H(0) CX(0, 1) I(0) CX(0, 1) H(0)
M(0) M(1))}
{(isEnd: false)
(prob: 1)
(qstate: (q[0]: 0>) (q[1]: 0>))
(bits: empty)
(actions: H(0) CX(0, 1) X(0) CX(0, 1) H(0)
M(0) M(1))}
{(isEnd: false)
(prob: 1)
(qstate: (q[0]: 0>) (q[1]: 0>))
(bits: empty)
(actions: H(0) CX(0, 1) Y(0) CX(0, 1) H(0)
M(0) M(1))}
{(isEnd: false)
(prob: 1)
(qstate: (q[0]: 0>) (q[1]: 0>))
(bits: empty)
(actions: H(0) CX(0, 1) Z(0) CX(0, 1) H(0)
M(0) M(1))}
Let us refer to the four initial states as
init0
,
init1
,
init2
, and
init3
, respectively. Initially, for each initial state, the
isEnd
observable component is false, the
prob
observable component is one, the
qstate
is the basic state (saying 00〈.〉), while the
actions
observable component contains the action list describing how Superdense Coding works with respect to the values of classical bits x and y.
Model checking superdense coding
Let K_{SC} be the Kripke structure for Superdense Coding. To model check that K_{SC} satisfies desired properties, we specify A_{SC} and L_{SC} for Superdense Coding. A_{SC} has four atomic propositions
isGateI
,
isGateX
,
isGateY
, and
isGateZ
. L_{SC} is specified as follows:
eq {(isEnd: true) (bits: BM) (prob: Prob) OCs} =
isGateI
= (Prob > 0) implies (BM[0] == 0 and BM[1] == 0) .
eq {(isEnd: true) (bits: BM) (prob: Prob) OCs} =
isGateX
= (Prob > 0) implies (BM[0] == 0 and BM[1] == 1) .
eq {(isEnd: true) (bits: BM) (prob: Prob) OCs} =
isGateY
= (Prob > 0) implies (BM[0] == 1 and BM[1] == 1) .
eq {(isEnd: true) (bits: BM) (prob: Prob) OCs} =
isGateZ
= (Prob > 0) implies (BM[0] == 1 and BM[1] == 0) .
eq {OCs} = PROP = false [owise] .
where
BM
and
Prob
are Maude variables denoting the classical bit map and the probability at a state in S, respectively.
The five equations say that
isGateI
holds at a state if the state contains
(isEnd: true)
,
(bits: BM)
, and
(prob: Prob)
such that the condition
BM[0] == 0 and BM[1] == 0
holds whenever
Prob > 0
(a nonzero probability), meaning that the pair (0, 0) of classical bits obtained from Bob is the same as the classical bits sent by Alice when the gate X is used; and similar for other propositions. Let
gateIProp
,
gateXProp
,
gateYProp
, and
gateZProp
be LTL formulas defined as
<> isGateI
,
<> isGateX
,
<> isGateY
, and
<> isGateZ
, respectively, where
<>
is the eventual temporal connective.
We model check that K_{SC} = 〈S, I_{SC}, T, A_{SC}, L_{SC}〉 satisfies
gateIProp
,
gateXProp
,
gateYProp
, and
gateZProp
from the initial states
init0
,
init1
,
init2
, and
init3
, respectively, in Maude as follows:
red modelCheck(init0, gateIProp) .
red modelCheck(init1, gateXProp) .
red modelCheck(init2, gateYProp) .
red modelCheck(init3, gateZProp) .
No counterexample is found in just 1 ms for each model checking experiment and so K_{SC} satisfies
gateIProp
,
gateXProp
,
gateYProp
, and
gateZProp
. In other words, for all possible values of (x, y) and its corresponding gates used, Bob can receive the same classical values sent by Alice at the end. Thus, we successfully verify the correctness of Superdense Coding by using our symbolic model checking approach. Note that we do not treat the input (x, y) to Superdense Coding as a twobit value symbolically; instead, we conduct four separate model checking experiments. This is necessary because we need to instantiate the input to determine which quantum circuit and its desired property should be considered individually.
Moreover, we conduct some more model checking experiments for Superdense Coding to confirm that Bob cannot receive bits that differ from the ones sent by Alice using the following commands:
red modelCheck(init0, gateXProp) .
red modelCheck(init0, gateYProp) .
red modelCheck(init0, gateZProp) .
red modelCheck(init1, gateIProp) .
red modelCheck(init1, gateYProp) .
red modelCheck(init1, gateZProp) .
red modelCheck(init2, gateIProp) .
red modelCheck(init2, gateXProp) .
red modelCheck(init2, gateZProp) .
red modelCheck(init3, gateIProp) .
red modelCheck(init3, gateXProp) .
red modelCheck(init3, gateYProp) .
where each of
init0
,
init1
,
init2
, and
init3
is used to check with other properties compared to the previous experiments. Each command returns a counterexample that confirms that Bob cannot receive bits that differ from the ones sent by Alice.
Quantum teleportation
Introduction
Quantum Teleportation (QT) introduced by Bennett et al. (1993) also takes advantage of entanglement in quantum mechanics to send an unknown quantum state ψ〈.〉 from Alice to Bob by using only three qubits and two classical bits. Because the nocloning theorem, as stated in Wootters & Zurek (1982), does not allow copying an arbitrary unknown quantum state, the protocol becomes extremely important to transmit an arbitrary unknown quantum state from one source to another. The difference between Superdense Coding and Quantum Teleportation is that the former transmits two classical bits, while the latter transmits an arbitrary unknown quantum state.
The circuit depicted in Fig. 3 shows how the protocol works. Alice acts on q_{0} and q_{1}, and Bob acts on q_{2} as follows:

First, we prepare an unknown state ψ〈.〉 = α0〈.〉 + β1〈.〉 at q_{0}, where α and β are complex numbers such that α^{2} + β^{2} = 1. Initially, q_{1} and q_{2} are in the state 0〈.〉.

Second, we apply a sequence of quantum gates to manipulate three qubits. In this case, we only consider the singlequbit Hadamard H and twoqubit controlledNOT CX gates. We first apply the H gate on q_{1} followed by the CX gate on q_{1} and q_{2} in order to make an entangled state shared between Alice and Bob. Alice then applies the CX gate on q_{0} and q_{1} followed by the H gate on q_{0}.

Third, we measure the qubits q_{0} and q_{1}, and immediately obtain two classical outcomes (0 or 1) stored in c_{0} and c_{1}, respectively.

Fourth, we conditionally apply singlequbit X and Z gates on q_{2} depending on the two classical bits in c_{0} and c_{1}. Concretely, we use the X gate if c_{1} equals one and followed by the Z gate if c_{0} equals one.
At the end, Bob will have ψ〈.〉 and Alice will not have it anymore. We would like to verify whether Alice can correctly send an arbitrary unknown quantum state to Bob at the end by using our symbolic model checking.
Specification of quantum teleportation
We can describe the circuit for Quantum Teleportation based on the actions specified in ‘Formal Specification’ as follows:
H(1) CX(1, 2) CX(0, 1) H(0) M(0) M(1) (c[1] == 1 ? X
(2)) (c[0] == 1 ? Z(2))
Let I_{QT} be the set of initial states for Quantum Teleportation. It consists of only one initial state as follows:
{(isEnd: false)
(prob: 1)
(qstate: (q[0]: a . 0> + b . 1>)
(q[1]: 0>) (q[2]: 0>))
(bits: empty)
(actions: H(1) CX(1, 2) CX(0, 1) H(0)
M(0) M(1)
c[1] == 1 ? X(2)
c[0] == 1 ? Z(2))}
where
a
and
b
are Maude constants denoting arbitrary scalars such that a^{2} + b^{2} = 1. Initially, the
isEnd
observable component is false, the
prob
observable component is one, the
qstate
is a symbolic state that is the same as the input state of the protocol, the
actions
observable component contains the action list describing how the protocol works.
Model checking quantum teleportation
Let K_{QT} and
init
be the Kripke structure and the initial state for Quantum Teleportation, respectively. To model check that K_{QT} satisfies desired properties, we specify A_{QT} and L_{QT}. A_{QT} has one atomic proposition
isSuccess
. L_{QT} is specified as follows:
eq {(isEnd: true) (qstate: Q) (prob: Prob) OCs} =
isSuccess
= Prob > 0 implies (qubitAt(Q, 2) == qubitAt(qstate(
init), 0) and
qubitAt(Q, 0) =/= qubitAt(qstate(init), 0)) .
eq {OCs} = PROP = false [owise] .
where
Q
and
Prob
are Maude variables denoting the whole quantum state and the probability at a state, respectively.
The two equations say that
isSuccess
holds at a state if the state contains
(isEnd: true)
,
(qstate: Q)
, and
(prob: Prob)
such that the condition
qubitAt(Q, 2) == qubitAt(qstate(init), 0)
and
qubitAt(Q, 0) == qubitAt(qstate(init), 0)
holds whenever
Prob > 0
holds, meaning that at the end, the qubit received by Bob is equal to the qubit sent by Alice at the beginning, and Alice does not have the qubit anymore with a nonzero probability. Let
teleProp
be an LTL formula defined as
<> isSuccess
.
We want to model check that K_{QT} = 〈S, I_{QT}, T, A_{QT}, L_{QT}〉 satisfies
teleProp
from the initial state
init
in Maude as follows:
red modelCheck(init, teleProp) .
No counterexample is found in just 3 ms and so K_{QT} satisfies
teleProp
. In other words, we successfully verify the correctness of Quantum Teleportation by using our symbolic model checking approach.
During LTL model checking, each state in a computation reachable from an initial state contains information on the probability accumulated up to the state from previous states. Ultimately, we obtain the probability of each computation. We would like to additionally check that if a computation has a probability greater than 0, the probability is also less than 1/2. We achieve this by adding the condition
Prob > 1/2
to the condition of the first equation specifying the labeling function for the atomic proposition
isSuccess
.
The first equation now becomes as follows:
eq {(isEnd: true) (qstate: Q) (prob: Prob) OCs} =
isSuccess
= Prob > 0 implies (qubitAt(Q, 2) == qubitAt(qstate(
init), 0) and
qubitAt(Q, 0) =/= qubitAt(qstate(init), 0) and Prob
< 1/2) .
We then conduct the model checking experiment again and no counterexample is found because each computation indeed has the probability of 1/4 equally. This artificial model checking experiment demonstrates that we can specify quantitative properties by considering the accumulated probability across states for each computation.
Moreover, we conduct one more model checking experiment to confirm that Alice indeed keeps her initial qubit with zero probability by changing the condition
qubitAt(Q, 0) =/= qubitAt(qstate(init), 0)
to
qubitAt(Q, 0) == qubitAt(qstate(init), 0)
in the condition of the first equation specifying the labeling function for the atomic proposition
isSuccess
, and conducting the model checking experiment again. As expected, a counterexample was found, showing that Alice indeed keeps her initial qubit with zero probability.
Reachability analysis for quantum teleportation
Besides using LTL model checking, we can also use reachability analysis to verify the correctness of Quantum Teleportation with the same property mentioned above. Maude is equipped with the search command with which reachability analysis can be conducted. The following search command, where
TELEPORT
is the specification of Quantum Teleportation,
init
is the initial state for
TELEPORT
,
search in TELEPORT: init
=>* {(qstate: Q) (isEnd: true) (prob: P) OCs}
such that not (
Prob > 0 implies (qubitAt(Q, 2) == qubitAt(qstate(
init), 0) and
qubitAt(Q, 0) =/= qubitAt(qstate(init), 0))
) .
finds all states reachable from the initial state that contain
(isEnd: true)
,
(qstate: Q)
, and
(prob: Prob)
such that it is not the case where the qubit received by Bob at the end is equal to the qubit sent by Alice at the beginning, and Alice does not have the qubit anymore with a nonzero probability. Note that the condition used here is the negation of the condition used to define the atomic proposition
isSuccess
above. The search command does not find any state in just 2 ms, meaning that we successfully verify the correctness of Quantum Teleportation by using reachability analysis.
The reason why we use the Maude LTL model checker is because it is convenient to express desired properties of quantum circuits in LTL. Quantum circuits look simple but have nondeterminism because of measurements, and then have multiple possible execution paths. It is necessary to take all such multiple execution paths. Desired properties of quantum circuits are in the form: for each possible execution path, something good eventually happens. For example, a qubit at the final state for each possible execution path is the same as another qubit at the initial state with a nonzero probability. Meanwhile, we need to find all states that do not satisfy the condition and we need to think in an inverse way when the search command is used. As written, we can use the search command, but because times taken by the search command (i.e., 2 ms) and the Maude LTL model checker (i.e., 3 ms) are comparable and it is convenient to express desired properties of quantum circuits in LTL, so we use the Maude LTL model checker.
Quantum secret sharing
Introduction
Quantum Secret Sharing (QSS) was first invented by Hillery, Bužek & Berthiaume (1999) and some attempts to describe quantum circuits for the protocol were presented by Joy et al. (2019). This protocol also takes advantage of entanglement to send an unknown quantum state ψ〈.〉 from Alice to either Bob or Charlie using the mechanism of Quantum Teleportation. However, this protocol uses four qubits and three classical bits, and especially neither Bob nor Charlie can independently reconstruct ψ〈.〉 by themselves. The one wants to retrieve the unknown quantum state ψ〈.〉 if and only if some information from the other is provided. This protocol has been used in many applications, such as quantum money schemes introduced by Wiesner (1983), Wang et al. (2007), quantum errorcorrecting codes introduced by Cleve, Gottesman & Lo (1999), Matsumoto (2017), and a graphtheoretic protocol introduced by Sarvepalli (2012), Gravier et al. (2015), demonstrating its importance.
The circuit for Quantum Secret Sharing is depicted in Fig. 4. We suppose that Charlie will reconstruct the unknown quantum state ψ〈.〉 sent by Alice with consent from Bob in the following description. Alice acts on q_{0} and q_{1}, Bob acts on q_{2}, and Charlie acts on q_{3} as follows:

First, we prepare an arbitrary unknown state ψ〈.〉 = α0〈.〉 + β1〈.〉 at q_{0}, where α and β are complex numbers such that α^{2} + β^{2} = 1. Initially, q_{1}, q_{2}, and q_{3} are in the basic state 0〈.〉.

Second, we apply a sequence of quantum gates to manipulate four qubits. We first apply the H gate on q_{1}, the CX gate on q_{1} and q_{2}, and the CX gate on q_{1} and q_{3} in order to make an entangled state shared between Alice, Bob, and Charlie. Alice then applies the CX gate on q_{0} and q_{1} followed by the H gate on q_{0}. Bob then applies the H gate on q_{2} to make it possible to measure in Xbasis (or the diagonal basis { + 〈.〉,  − 〈.〉}) subsequently.

Third, we measure the qubits q_{0}, q_{1}, and q_{2} and immediately obtain three classical outcomes (0 or 1) stored in c_{0}, c_{1}, and c_{2}, respectively.

Fourth, we conditionally apply singlequbit X, Z, and Z gates on q_{3} depending on the three classical bits in c_{1}, c_{0}, and c_{2}. Concretely, we use the X gate if c_{1} equals one and similarly for others. We can see that Charlie also needs to use the measurement outcome from Bob in order to reconstruct ψ〈.〉 in this step.
At the end, Charlie will have ψ〈.〉 with consent from Bob, and Alice will not have it anymore. We would like to verify whether Charlie can correctly reconstruct an arbitrary unknown quantum state sent by Alice with consent from Bob at the end by using our symbolic model checking. Note that this property is one aspect of QSS because we do not consider the following property under verification: neither Bob nor Charlie can independently reconstruct ψ〈.〉 by themselves.
Specification of quantum secret sharing
We can describe the circuit for Quantum Secret Sharing based on the actions specified in ‘Formal Specification’ as follows:
H(1) CX(1, 2) CX(1, 3) CX(0, 1) H(0) H(2) M(0) M(1) M
(2)
(c[1] == 1 ? X(3)) (c[0] == 1 ? Z(3)) (c[2] == 1 ? Z
(3))
Let I_{QSS} be the set of initial states for Quantum Secret Sharing. It consists of only one initial state as follows:
{(isEnd: false)
(prob: 1)
(qstate: (q[0]: a . 0> + b . 1>)
(q[1]: 0>) (q[2]: 0>) (q[3]: 0>))
(bits: empty)
(actions:
H(1) CX(1, 2) CX(1, 3) CX(0, 1) H(0) H(2)
M(0) M(1) M(2)
c[1] == 1 ? X(3)
c[0] == 1 ? Z(3)
c[2] == 1 ? Z(3))}
where
a
and
b
are Maude constants denoting arbitrary scalars such that a^{2} + b^{2} = 1. Initially, the
isEnd
observable component is false, the
prob
observable component is one, the
qstate
is a symbolic state that is the same as the input state of the protocol, the
actions
observable component contains the action list describing how the protocol works.
Model checking quantum secret sharing
Let K_{QSS} and
init
be the Kripke structure and the initial state for Quantum Secret Sharing, respectively. To model check that K_{QSS} satisfies desired properties, we specify A_{QSS} and L_{QSS}. A_{QSS} has one atomic proposition
isSuccess
. L_{QSS} is specified as follows:
eq {(isEnd: true) (qstate: Q) (prob: Prob) OCs} =
isSuccess
= Prob > 0 implies (qubitAt(Q, 3) == qubitAt(qstate(
init), 0) or
(1) . qubitAt(Q, 3) == qubitAt(
qstate(init), 0)).
eq {OCs} = PROP = false [owise] .
where
Q
and
Prob
are Maude variables denoting the whole quantum state and the probability at a state, respectively.
The two equations say that
isSuccess
holds at a state if the state contains
(isEnd: true)
,
(qstate: Q)
, and
(prob: Prob)
such that the condition
qubitAt(Q, 3) == qubitAt(qstate(init), 0)
or
qubitAt(Q, 3) == qubitAt(qstate(init), 0)
holds whenever
Prob > 0
holds, meaning that the qubit received by Charlie with consent from Bob at the end is equal to the qubit sent by Alice at the beginning with a nonzero probability. Note that a factor γ on a quantum state for which γ = 1 is regarded as a global phase and quantum states that differ only by a global phase are physically indistinguishable and equivalent as shown in Nielsen & Chuang (2010). That is why we use
(1). qubitAt(Q, 3) == qubitAt(qstate(init), 0)
in addition to
qubitAt(Q, 3) == qubitAt(qstate(init), 0)
in the condition. Let
secretProp
be an LTL formula defined as
<> isSuccess
.
We want to model check that K_{QSS} = 〈S, I_{QSS}, T, A_{QSS}, L_{QSS}〉 satisfies
secretProp
from the initial state
init
in Maude as follows:
red modelCheck(init, secretProp) .
No counterexample is found in just 13 ms and so K_{QSS} satisfies
secretProp
In other words, we successfully verify the correctness of the Quantum Secret Sharing by using our symbolic model checking approach.
Quantum gate teleportation
Introduction
Quantum Gate Teleportation (QGT) is a generalization of quantum teleportation invented by Gottesman & Chuang (1999) for teleporting two arbitrary states through the controlledNOT gate with the use of six qubits and four classical bits. This protocol can be regarded as a single technique to reduce resource requirements for quantum computers and unifies known protocols for faulttolerant quantum computations, demonstrating its importance.
The circuit for Quantum Gate Teleportation^{2} is depicted in Fig. 5. Alice acts on q_{0} and q_{1}, Bob acts on q_{2}, q_{3}, q_{4}, and q_{5} as follows:

First, Alice prepares an arbitrary unknown state ψ〈.〉 = a0〈.〉 + b1〈.〉 at q_{0}, where a and b are complex numbers such that a^{2} + b^{2} = 1. Similarly, Bob also prepares an arbitrary unknown state φ〈.〉 = c0〈.〉 + d1〈.〉 at q_{5}. Initially, q_{1}, q_{2}, q_{3}, and q_{4} are in the basic state 0〈.〉.

Second, we prepare an entangled state shared between Alice and Bob from q_{1} to q_{4} by applying a sequence of quantum gates as follows. We first apply the H gate on q_{1}, the CX gate on q_{1} and q_{2}, the H gate on q_{3}, the CX gate on q_{3} and q_{4}, and finally the CX gate on q_{3} and q_{2}.

Third, Alice then applies the CX gate on q_{1} and q_{0} followed by the H gate on q_{1}. Meanwhile, Bob applies the CX gate on q_{5} and q_{4} followed by the H gate on q_{5}.

Fourth, we measure the qubits q_{0}, q_{1}, q_{4}, and q_{5} and immediately obtain four classical outcomes (0 or 1) stored in c_{0}, c_{1}, c_{4}, and c_{5}, respectively.

Fifth, we conditionally apply the X gate on q_{2} and q_{3}, the Z gate on q_{3}, the X gate on q_{2}, and the Z gate on q_{2} and q_{3}, depending on the four classical bits in c_{4}, c_{5}, c_{0}, and c_{1}.
At the end, Bob will have the controlledNOT gate of φ〈.〉 and ψ〈.〉 (i.e., CX(φ〈.〉, ψ〈.〉) at the indices q_{2} and q_{3}. We would like to verify whether Alice can successfully teleport two arbitrary unknown quantum states through the controlledNOT gate to Bob at q_{2} and q_{3} at the end by using our symbolic model checking.
Specification of quantum gate teleportation
We can describe the circuit for Quantum Gate Teleportation based on the actions specified in ‘Formal Specification’ as follows:
H(1) CX(1, 2) H(3) CX(3, 4) CX(3, 2) CX(1, 0) H(1) CX
(5, 4) H(5)
M(0) M(1) M(4) M(5)
(c[4] == 1 ? X(2) X(3))
(c[5] == 1 ? Z(3))
(c[0] == 1 ? X(2))
(c[1] == 1 ? Z(2) Z(3))
Let I_{QGT} be the set of initial states for Quantum Gate Teleportation. It consists of only one initial state as follows:
{(isEnd: false)
(prob: 1)
(qstate: (q[0]: a . 0> + b . 1>)
(q[1]: 0>) (q[2]: 0>)
(q[3]: 0>) (q[4]: 0>)
(q[5]: c . 0> + d . 1>))
(bits: empty)
(actions:
H(1) CX(1, 2) H(3) CX(3, 4) CX(3, 2) CX(1, 0) H(1)
CX(5, 4) H(5)
M(0) M(1) M(4) M(5)
(c[4] == 1 ? X(2) X(3))
(c[5] == 1 ? Z(3))
(c[0] == 1 ? X(2))
(c[1] == 1 ? Z(2) Z(3))}
where
a
,
b
,
c
, and
d
are Maude constants denoting arbitrary scalars such that a^{2} + b^{2} = c^{2} + d^{2} = 1. Initially, the
isEnd
observable component is false, the
prob
observable component is one, the
qstate
is a symbolic state that is the same as the input state of the protocol, the
actions
observable component contains the action list describing how the protocol works.
Model checking quantum gate teleportation
Let K_{QGT} and
init
be the Kripke structure and the initial state for Quantum Gate Teleportation, respectively. To model check that K_{QGT} satisfies desired properties, we specify A_{QGT} and L_{QGT}. A_{QGT} has one atomic proposition
isSuccess
. L_{QGT} is specified as follows:
eq {(isEnd: true) (qstate: Q) (prob: Prob) OCs} =
isSuccess
= Prob > 0 implies (qubitAt(Q, 3 2) == qubitAt(
targetQState, 0 1) or
(1) . qubitAt(Q, 3 2) == qubitAt(
targetQState, 0 1)) .
eq {OCs} = PROP = false [owise] .
where
Q
and
Prob
are Maude variables denoting the whole quantum state and the probability at a state, respectively.
targetQState
represents the outcome of the protocol, the controlledNOT gate of the two arbitrary states, which is defined as follows
eq targetQState = ((q[0]: c . 0> + d . 1>) (q[1]: a
. 0> + b . 1>)).CX(0, 1) .
The two equations to specify A_{QGT} say that
isSuccess
holds at a state if the state contains
(isEnd: true)
,
(qstate: Q)
, and
(prob: Prob)
such that the condition
qubitAt(Q, 3 2) == qubitAt(targetQState, 0 1)
or
(1) . qubitAt(Q, 3 2) == qubitAt(target
QState, 0 1)
holds whenever
Prob > 0
, meaning that Alice can successfully teleport two arbitrary unknown quantum states through the controlledNOT gate to Bob at the end with a nonzero probability. Again, because of the global phase in quantum states as shown in Nielsen & Chuang (2010), we use
(1) . qubitAt(Q, 3 2) == qubitAt(targetQState, 0 1)
in addition to
qubitAt(Q, 3 2) == qubitAt(targetQState, 0 1)
in the condition. Let
gateProp
be an LTL formula defined as
<> isSuccess
.
We want to model check that K_{QGT} = 〈S, I_{QGT}, T, A_{QGT}, L_{QGT}〉 satisfies
gateProp
from the initial state
init
in Maude as follows:
red modelCheck(init, gateProp) .
No counterexample is found in just 176 ms and so K_{QGT} satisfies
gateProp
. In other words, we successfully verify the correctness of Quantum Gate Teleportation by using our symbolic model checking approach.
Remark on Quantum Gate Teleportation
This section describes a remark on Quantum Gate Teleportation where we show that a circuit for the original version of the protocol does not satisfy its desired property, while we present a revised circuit for the protocol and verify that it satisfies its desired property using our symbolic model checking approach.
The reader can refer to the circuit for the original version of Quantum Gate Teleportation from Gottesman & Chuang (1999), Fig. 2. In that figure, they use a Bell measurement denoted by the box B twice in the circuit. A Bell measurement can be described in terms of a CX gate, a Hadamard gate, and a measurement in the standard basis. However, there are two possible orientations for applying the CX gate and the Hadamard gate. The difference is apparent by comparing Figs. 6 and 7 as also presented by Williams (2008). The Bell measurement that uses the Bellbasis measurement gate in Fig. 6 is called the up Bell measurement. Meanwhile, the Bell measurement that uses the Bellbasis measurement gate inserted upside down in Fig. 7 is called the down Bell measurement. Gottesman & Chuang (1999) did not explicitly clarify which Bell measurement was used. However, they described it in their article exactly as follows:
The box B represents measurement in the Bell basis; that is, if the two qubits entering B are found to be 00〈.〉 + 11〈.〉 (leaving out the $\sqrt{2}$ normalization for clarity), then the outputs xy = 00; for 01〈.〉 + 10〈.〉, xy = 10; for 00〈.〉 − 11〈.〉, xy = 01; and for 01〈.〉 − 10〈.〉, xy = 11.
Note that xy denotes the first and second qubits entering the box B. Based on the above description in the original article, we use the down Bell measurement. If so, the circuit for Quantum Gate Teleportation is depicted in Fig. 8. Let us call this circuit the original circuit.
We conducted a model checking experiment with the same initial state and the desired property described in ‘Quantum Gate Teleportation’ for the original circuit. A counterexample was found by the Maude LTL model checker, implying that Quantum Gate Teleportation does not satisfy the property with the use of the original circuit. Because the counterexample is overlong, we just excerpt and present the final state repeated forever in the counterexample as follows:
{(isEnd: true)
(prob: 1/16)
(qstate:
(q[0]: 0>) (q[1]: 0>)
(q[4]: 0>) (q[5]: 1>)
(q[3 2]: (a .* c) . 0> (x) 0> + (a .* d) . 1> (x
) 1> +
(b .* c .* 1) . 0> (x) 1> + (b .* d .*
1) . 1> (x) 0>)
(bits: (0 > 0, 1 > 0, 4 > 0, 5 > 1))
(actions: nil)
We can see that the qubits at indices 3 and 2 do not match the controlledNOT gate of the two arbitrary states represented by
targetQState
in ‘Quantum Gate Teleportation (QGT)’. That is why the original circuit for Quantum Gate Teleportation does not satisfy the property. To replay the counterexample, we can conduct as follows: the sequence of quantum gates in the original circuit is applied as usual for the initial state, followed by the measurements of the first, second, fourth, and fifth qubits such that their measurement outcomes are 0, 0, 0, and 1, respectively. Furthermore, even if we use the up Bell measurement in place of the down Bell measurement, its corresponding circuit of Quantum Gate Teleportation also does not satisfy the property. Therefore, regardless of the use of either up or down Bell measurement, the quantum circuit proposed by Gottesman & Chuang (1999) does not enjoy the desired property.
We revised the original circuit for Quantum Gate Teleportation by changing the positions of the Z and X gates applied to qubits with respect to the values of c_{5} and c_{0}, respectively. Concretely, we apply the Z gate to q_{3} instead of q_{2}, the X gate to q_{2} instead of q_{3} depending on the values of c_{5} and c_{0}, respectively, for the revised circuit compared to the original circuit. The revised circuit is depicted in Fig. 5 in ‘Quantum Gate Teleportation (QGT)’. For the revised circuit of Quantum Gate Teleportation, we successfully verified the correctness of the protocol by using our symbolic model checking approach. This demonstrates the usefulness of our symbolic model checking approach for verifying quantum circuits.
Experimental Results
This section summarizes our experimental results for verifying the correctness of several quantum communication protocols with our symbolic model checking approach, including Superdense Coding introduced by Bennett & Wiesner (1992), Quantum Teleportation introduced by Bennett et al. (1993), Quantum Secret Sharing introduced by Hillery, Bužek & Berthiaume (1999), Entanglement Swapping introduced by Zukowski et al. (1993), Quantum Gate Teleportation introduced by Gottesman & Chuang (1999), Two Mirrorimage Teleportation introduced by Williams (2008), and Quantum Network Coding introduced by Satoh, Gall & Imai (2012). The experiments were conducted with an iMac that carries a 4 GHz microprocessor with eight cores and 32 GB memory of RAM. The experimental results are shown in Table 3. The second, third, and fourth columns denote the number of qubits in each protocol, the number of states in the reachable state space of each protocol under model checking, and the verification time for each protocol, respectively.
For case studies ranging from two to ten qubits, model checking experiments were quickly completed in times from 1 ms to 2,446 ms as shown in Table 3. The number of states in the reachable state space for Quantum Network Coding with ten qubits is notably larger compared to the number of states in the reachable state space for each of the first six protocols. Nevertheless, the model checking experiment for Quantum Networking Coding could be completed in a short amount of time. Without the aid of computer programs, such as our support tool implemented in Maude, it is almost impossible to achieve the same results. These results demonstrate the usefulness of our symbolic model checking approach to verifying quantum circuits in Maude. As one piece of future work, we would like to tackle more case studies with a larger number of qubits to present the scalability of our approach.
Protocol  Qubits  States  Verification time 

Superdense coding  2  16  1 ms 
Quantum teleportation  3  27  3 ms 
Quantum secret sharing  4  65  13 ms 
Entanglement swapping  4  29  3 ms 
Two mirrorimage teleportation  6  151  15 ms 
Quantum gate teleportation  6  168  176 ms 
Quantum network coding  10  7,373  2,446 ms 
Discussion
This section discusses some limitations of our approach, challenges in using a classical model checker to verify quantum circuits with their desired properties, and how we address these challenges.
Limitations
In the context of symbolic reasoning for complex numbers, we have extended rational numbers supported in Maude to deal with complex numbers. Our objective is to represent arbitrary complex numbers in a pure quantum state using fresh constants representing arbitrary complex numbers and manipulating them without using any concrete values for real numbers. As a result, our current framework cannot handle any concrete values for real numbers. Nevertheless, we plan to explore the use of float numbers supported in Maude for simulating quantum circuits with concrete values in the future. As shown in Appendix 2, we have specified some basic operations for complex numbers, such as multiplication, division, addition, conjugation, absolute, power, and square roots. Note that the formal specification of complex numbers is not complete in this article. Hence, there may be some cases where symbolic reasoning for complex numbers could not further reduce terms. As part of our future work, we aim to enrich the framework for complex number reasoning as much as possible.
Regarding symbolic reasoning for quantum computation, we only support a limited set of quantum gates, including I, X, Y, Z, H, CX, S, T, CY, CZ, SWAP, CCY, CCZ, and CSWAP gates. Consequently, a restricted set of quantum protocols can be described in our framework. Although we support a universal set of quantum gates, including the Clifford gates (i.e., H, S, and CX) and the phase shift gate T, universal quantum computations could not be handled by our framework at this moment because the symbolic reasoning for complex numbers is not complete. We would like to extend our symbolic reasoning to handle more quantum gates so that a wider range of quantum protocols can be verified using our approach.
Challenges and future prospects
There are some challenges that we need to address in order to use the Maude LTL model checker, a classical model checker, to verify quantum circuits with their desired properties. In addition, this section also outlines future prospects in model checking quantum circuits.

First, we need to devise a way to specify quantum states, quantum gates, and measurements in a Maude specification to reason about quantum computation. We specified quantum states, quantum gates, and measurements in Dirac notation and used a set of laws from quantum mechanics and basic matrix operations to reason about quantum computation automatically in Maude. Moreover, Maude does not support complex numbers as a builtin type. Therefore, we extended rational numbers, a builtin type in Maude, so as to deal with complex numbers symbolically as described in Appendix A.

Second, quantum gates can be applied to quantum states in a deterministic way, while quantum measurements are inherently nondeterministic and the states after the measurements will collapse. It is natural to use rewriting logic to describe nondeterministic or concurrent behaviors in Maude in the form of rewrite rules. We specified a binary projective measurement using two rewrite rules corresponding to two nondeterministic choices, as described in ‘Formal Specification’.

Third, we need to appropriately handle both pure and entangled states in our formal specification and devise a simple notation to conveniently describe the behavior of quantum circuits. We specified a whole quantum state as a collection of qubits associated with indices in quantum circuits, enabling flexible reference to specific parts of a quantum state using indices. The behavior of quantum circuits has been specified as a list of actions, a convenient and sufficient approach for us to concisely describe their behavior.

Lastly, we need to represent quantum states and quantum gates in order to effectively model check quantum circuits with as many qubits as possible. Using Dirac notation in our specification allows us to avoid many redundancies compared to explicitly using vectors and matrices to represent quantum states and quantum gates, respectively, making our representation more compact than that of Paykin, Rand & Zdancewic (2017). Early work proposed by Gay, Nagarajan & Papanikolaou (2005) could not support the analysis of quantum systems with five qubits, while our approach could handle case studies of up to ten qubits, showing the effectiveness of our approach. However, in order to handle quantum systems with hundreds of qubits in the future, we need to use or come up with advanced techniques to effectively simulate quantum computation(e.g., using decision diagrams for quantum computing proposed by Wille, Hillmich & Burgholzer (2022), Wille, Hillmich & Burgholzer (2023)) or analyze such quantum systems in a modular way.
Last but not least, our approach implemented in Maude can be a first step toward a general framework for specifying and verifying quantum circuits when we can reuse some essential elements in the Kripke structures. For specifying and verifying a quantum circuit, we are supposed to define an initial state, describe the behavior of the quantum circuit in terms of a list of actions, and specify atomic propositions and the labeling function based on which a desired property can be constructed. Given the system specification with the initial state and the desired property, the Maude LTL model checker automatically checks whether the system specification satisfies the desired property reachable from the initial state.
Related Work
There are several studies in the early work of formal specification and verification of quantum protocols, such as Gay, Nagarajan & Papanikolaou (2005); Elboukhari, Azizi & Azizi (2010). For example, Gay, Nagarajan & Papanikolaou (2005) provide a way to use classical model checkers (e.g., PRISM  a probabilistic model checker) to analyze quantum protocols. They give each quantum state a unique number and the transition from a unique number to another unique number models the action of quantum gates and measurements. Their approach needs to enumerate states, calculate the state transitions in advance, and then encode them into a PRISM specification. Although they developed a socalled PRISMGEN tool to automate this, their approach is impractical in reality and only supports two or three qubits because of the exponential growth of the number of states. Our approach does not need to enumerate such states in advance because a quantum state is directly specified in Dirac notation with scalars. Moreover, rewrite rules are used to specify the action of quantum gates and measurements, making our approach feasible to deal with more qubits. For example, we have verified the correctness of Quantum Network Coding that has ten qubits by using our symbolic model checking approach.
Ying (2021) proposes a framework for assertionbased verification of quantum circuits by using model checking techniques. In this work, quantum circuits are represented by tensor networks, where a tensor is a multidimensional array of complex numbers, and two tensors sharing indices are connected by a tensor contraction, which basically is matrix calculation. Quantum states and quantum gates are specified as tensors, and quantum circuits are specified as tensor networks. Given a quantum state as an input to a quantum circuit, the output will be the contraction of the quantum state and the quantum circuit. Assertions or properties about quantum circuits are specified using computation tree quantum logic (CTQL), an extension of the Birkoffvon Neumann quantum logic presented in Birkhoff & Neumann (1936). Using tensor network representation of quantum circuits, they can conveniently implement a reachability analysis algorithm and a model checking algorithm for quantum circuits by contraction of tensor networks. Compared to our work, Dirac notation is used to express quantum states and quantum gates instead of tensors, and quantum circuits are described by an action list with simple notations instead of tensor networks. Our reasoning on quantum circuits is mainly based on the laws of quantum mechanics and matrix operations with Dirac notation, but they construct contraction between tensors in tensor networks. We use LTL to express desired properties for quantum circuits instead of CTQL. It seems that they cannot deal with quantum circuits together with the appearance of classical bits obtained from measurements, while our approach can do so. Moreover, they do not show any case study to which their framework can apply.
Burgholzer & Wille (2021) have proposed an advanced method for equivalence checking of quantum circuits. Their approach involves two quantum circuits G and G′ as inputs and they check whether the two quantum circuits are equivalent. They leverage two key observations: (1) quantum circuits are inherently reversible, and (2) even small differences in quantum circuits may impact the overall behavior of quantum circuits. Let us suppose that two quantum circuits are sequences of unitary transformations: G = U_{m−1}…U_{0} = U and ${G}^{\prime}={U}_{{m}^{\prime}1}^{\prime}\dots {U}_{0}^{\prime}={U}^{\prime}$ operating on n qubits. Executing a quantum circuit to evolve an initial state ψ〈.〉 to another state ψ′〈.〉 such that U_{m}…U_{0}ψ〈.〉 = Uψ〈.〉 = ψ′〈.〉 is called simulation. For (1), G is equivalent to G′ if and only if ${\left({U}_{0}^{\prime}\right)}^{1}\dots {\left({U}_{{m}^{\prime}1}^{\prime}\right)}^{1}{U}_{m1}\dots {U}_{0}=I$ or ${\left({U}_{0}^{\prime}\right)}^{\u2020}\dots {\left({U}_{{m}^{\prime}1}^{\prime}\right)}^{\u2020}{U}_{m1}\dots {U}_{0}=I$ when ${\left({U}_{i}^{\prime}\right)}^{1}={\left({U}_{i}^{\prime}\right)}^{\u2020}$ due to their unitary matrices. They employ decision diagrams to represent matrices and try to resolve ${\left({U}_{{i}^{\prime}}^{\prime}\right)}^{\u2020}{U}_{i}$ into the identity matrix I for effectively solving the equivalence checking problem. For (2), comparing the entire matrices of U and U′ is unnecessary when two quantum circuits are not equivalent. Comparing some columns of each U and U′ is enough to conclude the equivalence checking problem. Constructing a single column of U (or U′) equates to simulating G (or G′) with the standard basis state i〈.〉 as follows: ${u}_{i}^{0}\u3008.\u3009={U}_{0}i\u3008.\u3009$, ${u}_{i}^{\left(j\right)}\u3008.\u3009={U}_{j}\cdot {u}_{i}^{\left(j1\right)}$ for j ∈ {1, …, m − 1}. As the results of these simulations, if ${u}_{i}\u3008.\u3009={u}_{i}^{\left(m1\right)}\u3008.\u3009$ and ${u}_{i}^{\prime}\u3008.\u3009={{u}^{\prime}}_{i}^{\left({m}^{\prime}1\right)}\u3008.\u3009$ are different, it indicates nonequivalence of the two quantum circuits. These can be quickly checked through a randomized selection of some columns with simulations. While their approach is promising, it differs from ours when we take a formal specification for a quantum circuit and a formal property for a desired property as inputs and check whether the quantum circuit satisfies the desired property. Nevertheless, we may utilize their idea to extend our symbolic reasoning to check the equivalence of quantum circuits, which would be one interesting direction.
The ZX calculus, as proposed by Coecke & Duncan (2011), is a graphical formal language for quantum systems equipped with a robust set of rewrite rules that enable a graphical rewriting system for quantum computation. The graphical formalism of the ZX calculus can be implemented in the automated rewriting system Quantomatic proposed by Kissinger & Zamdzhiev (2015) for the automatic simplification process. The ZX calculus has various applications in quantum computing, such as verifying quantum errorcorrecting codes and equivalence checking of quantum circuits. For example, Peham, Burgholzer & Wille (2022) proposed an approach to the equivalence checking of quantum circuits using the ZX calculus. Given two quantum circuits U and U′, they produce their corresponding representations as ZXdiagrams D and D′. These diagrams are then combined into D^{†}D′ and simplified using the set of rewrite rules. If the result is in the form of the identity diagram, they can conclude their equivalence. Otherwise, nothing can be concluded because there are multiple forms for a ZX diagram in general. This approach is intuitive when we can see which rewrite rules are used and how ZX diagrams are changed accordingly. Our approach based on Dirac notation may be less intuitive. However, our approach is to verify whether quantum circuits satisfy their desired properties, which are different from the equivalence checking of quantum circuits as mentioned above.
Rand, Paykin & Zdancewic (2018) implement the QWIRE programming language, a highlevel abstraction to describe quantum circuits for programmers, in the Coq proof assistant and use Coq’s theorem proving features to prove desired properties for quantum circuits. They explicitly use matrix representations, while we use Dirac notation to reason about quantum circuits. As the inherent problem of theorem proving, they need to provide necessary lemmas in order to prove some properties that can be considered the most challenging task in theorem proving. Our approach is model checking and so it is completely automatic.
Our symbolic approach to model checking quantum circuits is inspired by Shi et al. (2021) and so it is the closest work to ours. However, their approach is oriented to theorem proving, not model checking. They also use Dirac notation with a small set of laws to specify quantum states, quantum gates, measurements, and reasoning about quantum circuits in Coq, an interactive theorem prover. However, they usually require human users to provide necessary lemmas to complete their proofs, which is generally a challenging task. Meanwhile, our approach is fully automatic and requires no human intervention. Moreover, our implementation can be a first step toward a general framework to formally specify and verify quantum circuits in a symbolic way in Maude.
Conclusion
We have proposed a symbolic approach to model checking quantum circuits using a set of laws from quantum mechanics and basic matrix operations with Dirac notation. We have analyzed the correctness of several quantum communication protocols in the early stage of quantum communication: Superdense Coding, Quantum Teleportation, Quantum Secret Sharing, Entanglement Swapping, Quantum Gate Teleportation, Two Mirrorimage Teleportation, and Quantum Network Coding as case studies to demonstrate the usefulness of our approach. In particular, we have identified that the original version of Quantum Gate Teleportation did not satisfy its desired property, and have proposed a revised version and confirmed its correctness using our approach and support tool. Moreover, our implementation developed in Maude can be a first step toward a general framework to formally specify and verify quantum circuits using our symbolic model checking approach. Our specification considers the probabilities of measurements, and then we can tackle both qualitative and quantitative properties with the builtin LTL model checker in Maude.
As one piece of our future work, we would like to extend our symbolic reasoning to handle more quantum gates and more complicated reasoning on complex number operations. As usual, we need to conduct more case studies to demonstrate the usefulness of our approach/implementation. As another line of future work, we also would like to apply our symbolic approach to model checking quantum programs and quantum cryptography protocols.