Resource-efficient verification of quantum computing using Serfling's bound

Verifying quantum states is central to certifying the correct operation of various quantum information processing tasks. In particular, in measurement-based quantum computing, checking whether correct graph states are generated or not is essential for reliable quantum computing. Several verification protocols for graph states have been proposed, but none of these are particularly resource efficient: Many copies are required in order to extract a single state that is guaranteed to be close to the ideal graph state. For example, the best protocol currently known requires $O(n^{15})$ copies of the state, where $n$ is the size of the graph state [D. Markham et al., arXiv:1801.05057 (2018)]. In this paper, we construct a significantly more resource-efficient verification protocol for graph states that needs only $O(n^5 \log{n})$ copies. The key idea that achieves such a drastic improvement is to employ Serfling's bound, which is a probability inequality in classical statistics. Utilizing Serfling's bound also enables us to generalize our protocol for qudit and continuous-variable graph states. Constructing a resource-efficient verification protocol for qudit and continuous-variable graph states is nontrivial. For example, previous verification protocols for qubit graph states that use the quantum de Finetti theorem cannot be generalized to qudit and continuous-variable graph states without hugely increasing the resource overhead. This is because the overhead caused by the quantum de Finetti theorem depends on the local dimension. On the other hand, in our protocol, the resource overhead is independent of the local dimension, and therefore generalizing to qudit or continuous-variable graph states does not increase the overhead. The flexibility of Serfling's bound also makes our protocol robust: It accepts slightly noisy but still useful graph states, which are rejected by previous protocols.

The Verification of quantum states plays an important role in ensuring the correct functioning of a number of quantum technologies including quantum computing, quantum cryptography, and quantum simulations. Graph states are a particularly important classof quantum state, since they provide a resource states for measurement-based quantum computation (MBQC) [1][2][3][4][5][6]. Hence, the problem of verifying quantum computation amounts to simply verifying measurements and verifying the resource state. In this paper, we consider the task of verifying these important resource states, both for qubit graph states, but also for more general qudit and continuousvariable (CV) graph states.
Let us consider the following general setup (as shown in Fig. 1): Bob has a universal quantum computer and he can prepare arbitrary quantum states. Alice, on the other hand, can only perform single-qubit measurements. She does not have any quantum memory, and she cannot apply entangling gate operations. Alice, therefore, delegates the preparation of graph states to Bob. Bob generates an nN total -qubit state ρ B and sends it to Alice. The state ρ B consists of N total registers, and each register contains n qubits. If Bob is honest, then the state of each register received by Alice is the correct n-qubit graph state |G . In other words, If Bob is malicious, on the other hand, ρ B can be any arbitrary nN total -qubit state. Alice randomly chooses N total − 1 registers and measures all of them. Is it possible to construct a protocol such that if these measurement results satisfy certain conditions, then the state of the remaining (i.e., unmeasured) single register is guaranteed to be close to the ideal state |G ? If such a verification protocol is possible, Alice can safely use the verified register for her desired MBQC [7]. This setup models usual experiments. Bob can be thought of as representing experimental equipment that is expected to generate many copies of the n-qubit graph state |G , and Alice is an experimentalist who has constructed the equipment. Alice wants to check whether the experimental equipment works correctly or not. In this case, it is not reasonable to assume that ρ B is any state, since the "attack" by the experimental equipment is not a malicious one, but is due to natural noise. In other words, The set up we consider in this paper. Bob generates an nN total -qubit state ρB that consists of N total registers. Each register is represented by a box and contains n qubits. Bob sends the state ρB to Alice. Alice randomly chooses N total − 1 registers, and measures each qubit of them. If the measurement results satisfy certain conditions, the unmeasured single register is guaranteed to be close to the ideal graph state |G . If Bob sends Alice each qubit of ρB one by one, and if Alice measures each qubit sequentially, Alice does not need any quantum memory. If we consider the qudit (qumode) case, the word "qubit" in the above explanation should be replaced with "qudit" ("qumode").
where E is a completely positive trace-preserving (CPTP) map that represents certain noise caused by the interaction between the experimental equipment and the environment. Due to the inherent asymmetry between Alice and Bob, the verification setup shown in Fig. 1 can also be considered as a cloud quantum computing scenario [8,9]. Imagine, Bob as the owner of a company which provides a quantum computing service over the cloud, and Alice as a (weak) client who wants to use the cloud service to perform her desired quantum operations. One of the ways to achieve this task is for Bob to generate graph states and send them to Alice one qubit at a time. Alice, who can only perform single-qubit measurements, measures each qubit, as it arrives, to perform her MBQC. Since Alice does not trust Bob, Alice has to verify the correctness of the graph states by herself. This situation is well modeled by taking E in Eq. (2) to be a general CPTP map, since Bob is restricted to non-adaptive attacks, which is equivalent to maliciously preparing the initial state.
Several verification protocols have been proposed for graph states [10][11][12][13][14][15][16]. Self-testing protocols, i.e., device-independent verification protocols have also been proposed for graph states [17]. All the previous protocols, however, have at least one of the three problems described below. First, they are not resource efficient, i.e., N total is large. For example, protocols of Refs. [10,11] use the idea of the quantum de Finetti theorem [18] to make ρ B close to independent and identically distributed (i.i.d.) copies of a single fixed state, but this comes at the cost of large overhead. Such protocols require N total = O(n 21 ) to complete the verification. There are some protocols that do not use the quantum de Finetti theorem [12][13][14][15], but nonetheless N total = O(n 15 ) (for details, see the "Resource efficiency of our protocol" subsection in the Results section).
Second, previous protocols [10,11,13,16,17] can verify only qubit states. Note that recently, in Ref. [15], the gen-eralization to qudit systems has been made without increasing N total = O(n 15 ). However, this resource overhead is large. Furthermore, the generalization to CV systems has not yet been made. In reality, there are many important qudit or CV quantum states such as the photon orbital angular momentum states [19] and the Gottesman-Kitaev-Preskill (GKP) states [20]. Recently, large-scale CV entangled states composed of more than 10 4 qumodes have been generated [21]. Verification protocols for qudit and CV states are therefore indispensable. However, constructing a resource-efficient verification protocol for qudit or CV graph states is not trivial. In the case when the quantum de Finetti theorem is used for a qudit system with the qudit dimension d ≥ 3, for example, N total depends on log d, and therefore if we take d → ∞ to construct a CV verification protocol, we have the unpleasant consequence that N total → ∞.
Finally, many previous protocols [12,[14][15][16] have zero error tolerance. Even if Bob is honest, the state ρ B that Alice receives might be slightly different from the ideal state |G ⊗N total because of the imperfections of Bob's operations and the channel noise between Bob and Alice. These slightly perturbed states can still be useful for fault-tolerant computation. The acceptance of such states by Alice would lead to better verification protocols. A fault-tolerant verification protocol [13] that accepts noisy but still error-correctable states has been proposed, but it can be only used for the bipartite graph states.
In this paper, we introduce a new verification protocol that overcomes all the three problems. First, we show that our protocol is significantly more resource efficient that previous approaches. To be precise, in our protocol, N total = O(n 5 log n). (Recall that the best known previous protocols need N total = O(n 15 ) [12][13][14][15].) The key idea to achieve this efficiency is to employ Serfling's bound [22,23]. Serfling's bound is a probability inequality for the sum in sampling without replacement, and is often used in classical statistics (for details, see the Methods section). Serfling's bound has also been used in the security proofs of quantum key distribution [23][24][25], but to the best of our knowledge, this is the first time that Serfling's bound has been applied to the verification of quantum computation.
Second, our protocol can be generalized to qudit and CV graph states, while maintaining resource efficiency. As we have explained, constructing a resource-efficient qudit or CV verification protocol is non-trivial. The reason why we succeed in the construction is again because of Serfling's bound: When we use Serfling's bound for a qudit system with d ≥ 3, N total is independent of d. Therefore, we can increase d without increasing N total . Note that our verification protocol for CV graph states can also be generalized to CV weighted hypergraph states. Hypergraph states are generalizations of graph states, and weighted means that a real number is associated with each hyperedge. The precise definition will be given later. Several important CV states are weighted hypergraph states, such as the CV cluster state [3] and the CV weighted toroidal lattice state [26], and our protocol is useful for verifying these states. We also point out that our verification protocol for CV graph states can be used to construct a verifiable blind quantum computing protocol with CV states. To the best of our knowledge, no verifiable blind CV quantum computing protocol was known previously.
Finally, our protocol is robust to some extent against slight perturbations of quantum states. For example, in previous protocols [12,[14][15][16], all N total −1 registers have to pass a test in order for Alice to accept the remaining state as correct, which means that slightly perturbed but still useful states are rejected by Alice. In our protocol, on the other hand, Alice accepts even if some of the N total − 1 registers fail a test. This relaxed acceptance criteria allows Alice to accept noisy but still useful resource states. As non-fault-tolerant small-scale quantum processors are becoming available [27][28][29], our protocols may be useful to verify these near-term quantum computers.
In addition to the verification protocols for graph states mentioned above, there are other approaches to verifiable quantum computing. The protocols in Refs. [30,31] use trap based techniques to perform verifiable blind quantum computing. In their protocols, a client is required to prepare single-qubit states while single-qubit measurements are required in our setup. In order to make the client classical, several multi-server protocols have been proposed [32][33][34][35][36]. Particularly, Coladangelo et al. have recently constructed two resource-efficient protocols for a classical client to verifiably delegate quantum computing to two non-communicating but entangled quantum servers [35]. Other multi-server protocols have also been proposed to make verification protocols device independent [37,38]. However, the assumption that servers do not communicate with each other is hard to impose in practice due to latency in real-world networks and the finite speed of quantum operations. Recently, Mahadev has shown that quantum computation can be verified by an entirely classical client even when only one quantum processor is available, under computational assumptions [39]. Such protocols, however, necessitate extremely large quantum processors due to the relatively large key sizes necessary for cryptographic security.

Results
This section is organized as follows: First, as preliminaries, we review the definitions of qudit graph states and their stabilizer operators. Second, we construct a stabilizer test as a sub-protocol of our verification protocol. With respect to CV weighted hypergraph states, we also review their definitions and construct a stabilizer test. After that, based on the stabilizer tests, we propose our verification protocol, which is the main result of this paper. We also discuss the resource efficiency and the error tolerance of our verification protocol. Finally, we generalize our verification protocol so that it can be used to verify multiple quantum states simultaneously.
of edges with n ≡ |V |. Here, |V | and |E| denote the number of elements of V and E, respectively. Let {|k } d−1 k=0 be an orthonormal basis in a d-dimensional Hilbert space, where d(≥ 2) is finite. A qudit graph state |G d that corresponds to G is defined by where |k is the +1 eigenvector of the generalized Pauli-X operator is a qudit analogue of the controlled-Z (CZ) gate acting on the ith and the jth qudits. It is easy to confirm that when d = 2, a qudit graph state becomes a conventional qubit graph state. The ith stabilizer g where N (i) is the set of neighbors of the ith vertex, and is the generalized Pauli-Z operator acting on the jth qudit. It is easy to check that g (d) i |G d = |G d . Stabilizer test for qudit graph states. Let us consider the following test, which we call the stabilizer test. The stabilizer test is an essential sub-protocol of our verification protocol for qudit graph states. Let ρ be an n-qudit quantum state. We define the stabilizer test for g (d) i on ρ as follows: Alice measures X i and Z j for all j ∈ N (i) . Let x i ∈ {0, . . . , d − 1} and z j ∈ {0, . . . , d − 1} be the measurement outcomes of X i and Z j , respectively. We say that Alice passes the stabilizer test for g Since the correct qudit graph state |G d always satisfies Eq. (4), it passes the stabilizer test for g with unit probability for all i.
CV weighted hypergraph states. We also review the definitions of CV weighted hypergraph states and their stabilizers.
Here, a hyperedge is a set of vertices, and Ω i ∈ R represents the weight of the ith hyperedge. An edge is a special case of the hyperedge when |e| = 2, where |e| denotes the number of vertices linked to the hyperedge e. Let be a CV weighted hypergraph state corresponding to G, where |0 p vi is a phase-squeezed state corresponding to the ith vertex, i.e. the eigenvector of the phase quadrature operator is a CV analogue of the CZ gate acting on qumodes corresponding to vertices in the hyperedge e j , andx i ≡ (â i + a † i )/ √ 2 is the amplitude quadrature operator acting on the ith qumode. From Eqs. (5) and (6), it can be seen that when |e j | = 2 for all j, a CV weighted hypergraph state becomes a CV weighted graph state. Since a hypergraph has at most 2 n − 1 hyperedges, the time required to generate a hypergraph state is at most O(2 n ). Hereafter, we assume that |E| = poly(n), because states with superpolynomial scaling in n in general require greater than polynomial time to generate, which is considered inefficient. The ith stabilizer g (7) wherep i is the phase quadrature operator acting on the ith qumode. Let E (i) be the set of hyperedges that contain the ith vertex v i . From Eq. (7), where we have used the Baker-Hausdorff lemma and the commutation relation [x,p] = i. It is easy to check that g (CV) i |G CV = 0|G CV . Since the quadrature operators can be measured using homodyne measurements, and Ω are known, the measurement of g (CV) i can be accomplished using only homodyne measurements, which are single-qumode measurements.
Stabilizer test for CV weighted hypergraph states. Let us explain the stabilizer test for CV weighted hypergraph states. This forms an essential sub-protocol of our CV verification protocol. Let ρ be an n-qumode quantum state. We define the stabilizer test for g (CV) i on ρ as follows: Alice measuresp i on the ith qumode andx k on all qumodes in ∪ ej ∈E (i) e j − {v i }. Let p i ∈ R and x k ∈ R be the measurement outcomes ofp i andx k , respectively. We say that Alice passes the stabilizer test for g Here, we assume that measurements are infinitely accurate. However, as shown in the "Robustness of our protocol" subsection in the Results section, we can relax this assumption to some extent. Since we assume that |E| = poly(n), Alice can calculate the left-hand side of Eq. (8)  Main protocol. Now we propose our verification protocol, which is the main result of the present paper. Our verification protocol for qudit graph states (CV weighted hypergraph states) runs as follows (see Fig. 2): 1. Bob sends an nN total -qudit (qumode) state ρ B to Alice as is shown in Fig. 1. The state ρ B consists of N total registers, and each register stores n qudits (qumodes). If Bob is honest, the state of each reg- . On the other hand, if he is malicious, ρ B can be any state.
2. Alice repeats the following for i = 1, . . . , n: She chooses N test registers from the remaining N total − (i − 1)N test registers independently and uniformly random, and then she performs the stabilizer tests for g ) on each of them. Let N pass,i be the number of registers that pass the stabilizer test for g she goes to step 4, where N th ≥ 0 is specified later in Theorem 1. Otherwise, she aborts the protocol.

Alice uniformly randomly chooses a single register
from the remaining N total − nN test registers that were not used for the stabilizer tests in step 2. We call the chosen single register the target register. She uses the target register for her MBQC. Finally, other remaining N total − nN test − 1 registers are discarded.
Bob just sends each qubit of ρ B one by one to Alice, and she randomly chooses her action from the stabilizer tests, MBQC on the target register, and discarding. Furthermore, our protocol does not assume any i.i.d. property on the quantum state ρ B . In other words, ρ B can be any state, and we do not assume that ρ B = σ ⊗N total , where σ is an n-qudit (qumode) state.
To show that our protocol is valid, we now show its completeness and soundness. Intuitively, if Alice accepts the correct quantum state with high probability, we say that the verification protocol has the completeness. In other words, the completeness means that Alice does not mistakenly reject the correct quantum state. On the other hand, if the verification protocol guarantees that the accepted quantum state is close to the correct state with high probability, we say that the verification protocol has the soundness. That is soundness means that Alice does not mistakenly accept any quantum state that is far from the ideal state. It is not difficult to show the completeness of our protocol. In fact, when Bob is honest, i.e., when he sends |G d ⊗N total (|G CV ⊗N total ) to Alice, she proceeds to step 4 with unit probability, because n i=1 N pass,i = nN test . With respect to the soundness, the following theorem holds: Theorem 1 (Soundness) If we set N total = 2nN test , N test = ⌈5n 4 log n/32⌉, and N th = N test /(2n), the n-qudit (qumode) state ρ tgt of the target register satisfies with probability at least 1 − n 1−5c/64 , where ⌈·⌉ is the ceiling function, c is any constant satisfying 64/5 < c < (n − 1) 2 /4, n ≥ 9, and |G ∈ {|G d , |G CV }.
A proof of Theorem 1 will be given in Appendix A, and a brief explanation of the proof will be given in the Methods section.
Resource efficiency of our protocol. To show the resource efficiency of our protocol, we compare it with the verification protocol of Ref. [14], which can verify any graph state and is one of the most efficient protocols currently known. Theorem 1 means that our verification protocol guarantees the fidelity 1 − (2 √ c + 1)/n with significance level n 1−5c/64 using N total = 2n⌈5n 4 log n/32⌉ registers. The verification protocol of Ref. [14] guarantees the fidelity 1 − 1/(αM ) with significance level α using M registers. Therefore, if we require the protocol of Ref. [14] to achieve the same fidelity and the significance level as ours, have to be satisfied. From these equations, we obtain while N total = O(n 5 log n). (Note that n ≥ 18 is required to satisfy c > 64 because c < (n − 1) 2 /4.) A similar argument holds for other previous protocols [12,13,15]. The reason why our protocol is more efficient than that of Ref. [14] can be explained as follows: the fidelity F ′ = 1 − 1/(αM ) of their protocol depends on M and α, and therefore, M has to be increased in order to decrease the order of the significance level α while keeping the order of 1 − F ′ . Our fidelity, F = 1 − (2 √ c + 1)/n, also depends on N total and the significance level, because n does, but our fidelity also contains the constant c, which is independent of N total . Therefore, by increasing c instead of increasing N total , we can improve the order of the significance level without increasing the order of 1 − F . The existence of such an extra parameter c is the advantage of using Serfling's bound. (The constant c comes from ν of Serfling's bound via ν = √ c/n 2 . For details, see the Methods section.) Robustness of our protocol. Our protocol has some error tolerance. To see it, let us consider a simple example where all registers of ρ B are in the same state σ, and the state σ is a slightly deviated state from the ideal state |G : where 0 < ǫ < 1, and η is any n-qudit (qumode) state. In other words, When ǫ = 1/poly(n), such σ is still useful for quantum computing, because where || · || is the trace norm, for any positive operator-valued measure (POVM) element A. Therefore, the output probability distribution of MBQC on σ is close to that on |G within the 1/poly(n) error, which is enough to solve, for example, bounded error quantum polynomial time (BQP) decision problems. When ǫ < O(1/(n 5 log n)), our protocol can accept ρ B of Eq. (10) with almost unit probability. In fact, by a direct calculation, our protocol accepts ρ B with the probability where ⌊·⌋ is the floor function. From p acc > (1 − ǫ) nNtest and nN test = O(n 5 log n), if ǫ < O(1/(n 5 log n)), p acc approaches 1 in the limit of large n.
The acceptance probability p acc of our protocol is higher than that of Ref. [14], which means that our protocol is more robust than that of Ref. [14]. In fact, the protocol of Ref. [14] accepts ρ B of Eq. (10) with the probability Therefore, if c > 64, where we have used Eq. (11) and the fact that nN test ≤ M −1, which is asymptotically true for large n when c > 64, because nN test = N total /2 = O(n 5 log n) and M = O(n t ) where t > 5 from Eq. (9). For simplicity, we have considered the tensor product Eq. (10) of the same state σ. However, it is easy to confirm that a similar argument holds even when small entanglement is created among registers of ρ B . Furthermore, since the errors considered above can also be treated as errors in measurements, we can relax the assumption where measurements are ideal to some extent.
Note that settingñ = 1 in Theorem 2 results in Theorem 1. This implies that Theorem 1 is a special case of Theorem 2.
In several tasks, such as sampling problems, Alice might want to have many copies of graph states. Theorem 2 is useful for such situations. In simple terms, Theorem 2 means that Alice can obtainñ = O(n t ) quantum states with the fidelity 1 − O(1/n 1−t ) using N total = O(n 5 log n) registers. The resource overhead O(n 5−t log n) of our protocol per single quantum state is almost the same as that O(n 4 log n) of some previous device-independent multi-server verification protocols [37,38]. Particularly, in the protocol of Ref. [37], the Azuma-Hoeffding bound [40,41] is used to achieve such overhead while we use Serfling's bound. A proof of Theorem 2 will be given in Appendix B.

Discussion
We have proposed an efficient and robust verification protocol for any qudit graph state and any polynomial-time-generated CV weighted hypergraph state using Serfling's bound. Our protocol is much more efficient than existing verification protocols when the size of the quantum state and the guaranteed fidelity is sufficiently large, and the significance level is sufficiently small.
Besides an application to the verification of universal quantum computing, our protocol can be applied to the verifiable blind quantum computing (VBQC) scenario. In VBQC, a client with weak quantum resources delegate an arbitrary quantum computing to a remote (universal) quantum server in such a way that the client's privacy is preserved and at the same time the integrity of the server is verified. Almost all of the VBQC protocols can be divided into two types, i.e., state-preparation (SP) type [30] and measurement-only (MO) type [12]. In the former type, the client is required to prepare single-or multi-qubit quantum states. On the other hand, in the latter one, the client is required to perform single-qubit projective measurements on the quantum states (usually graph states). A non-verifiable blind quantum computing (BQC) protocol using CV graph states has already been proposed for both types [42], but a VBQC protocol using CV graph states has not yet been proposed. In this paper, we focus on the MO type because the homodyne measurement is generally considered to be significantly easier than the generation of highly squeezed states. By combining the original MO-type BQC protocol [9] and our verification protocol of CV weighted hypergraph states, we construct a MO-type CV VBQC protocol as follows: 1. The quantum server generates N total CV cluster states [3], and sends them to the client.
2. The client performs our CV verification protocol. If the verification protocol succeeds, they proceed to the next step. Otherwise, the client aborts the protocol.
3. The client performs MBQC on the verified quantum states.
Note that this VBQC protocol requires no quantum memory for the client. Although the protocol above is phrased sequentially, when no quantum memory is used the computation is actually interspersed with the test runs, which themselves take place out of order, and the decision to accept or reject is taken once all qumodes have been measured or discarded.
From the universality of the CV cluster state, it follows that our CV VBQC protocol has perfect correctness, i.e., Alice can obtain the correct result if Bob is honest. Next, our protocol is blind, i.e., the server cannot learn client's inputs, algorithms, and outputs, because there does not exist any communication channel from the client to the server. Finally, the verifiability of our VBQC protocol follows from our CV verification protocol given in the Results section.
In our CV VBQC protocol, we assume that the honest server sends the client the ideal CV graph states whose squeezing level is infinite. One possible approach to relax this assumption is to construct a test where even finitely squeezed states can pass with sufficiently high probability. Recently, Liu et al. have constructed a fidelity witness with respect to the tensor products of finitely squeezed cubic phase states [43]. Based on this fidelity witness, they have also proposed another CV VBQC protocol. Therefore, their VBQC protocol does not need infinitely squeezed states unlike our VBQC protocol. On the other hand, their protocol assume that the malicious server is restricted to preparing i.i.d. copies of single-qumode states while the malicious server in our protocol can perform any CPTP map as the attack. It would be interesting to consider wether or not we can make CV VBQC protocols more practical by combining these two approaches.

Methods
In this section, we give an intuitive explanation of the proof of Theorem 1. (Detailed proof is given in Appendix A.) Our main tool is Serfling's bound: Lemma 1 (Serfling's bound [22,23]) Consider a set of binary random variables Y = (Y 1 , Y 2 , . . . , Y T ) with Y j taking values in {0, 1} and T = N + K. Then, for any 0 < ν < 1, where Π is a set of K samples chosen independently and uniformly at random from Y without replacement.Π is the complementary set of Π.
Note that the sampling without replacement means that once a sample is selected, it is removed from the population in all subsequent selections.
Here, we give a sketch of the proof of Theorem 1 using Serfling's bound. In step 2 of our protocol, when i = 1, Alice measures the stabilizer operator g 1 ∈ {g } for N test samples of the set Π (1) that is uniform and randomly chosen out of the total N total registers. In this case when Alice passes the stabilizer test for g 1 on the jth register (1 ≤ j ≤ N test ), Y j = 0; else Y j = 1. Therefore, by setting K = N test and T = N total in Lemma 1, it reveals the upper bound of the number of registers that are not stabilized by g 1 in the remaining complementary setΠ (1) , which includes N total − N test registers. Next, Alice performs the stabilizer tests for g 2 (when i = 2) by uniformly and randomly choosing N test registers, which are in the set Π (2) , from N total − N test remaining registers. Similarly, in Lemma 1, by setting K = N total and T = N total − N test , Alice can estimate that at most registers are not stabilized by g 2 in the remaining N total − 2N test registers that are not measured by g 1 and g 2 . From Eqs. (12) and (13), we find a lower bound on the number of remaining N total − 2N test registers that are stabilized by both g 1 and g 2 . In estimating this lower bound, we use the pigeonhole principle. In other words, we consider a worst case scenario where the remaining registers that are not stabilized by g 1 and g 2 do not completely overlap with each other.
Using the same argument recursively, Alice estimates a lower bound on the number of the remaining registers stabilized by all of {g i } n i=1 in the remaining N total − nN test registers. Since only the ideal state |G is stabilized by all the g i with 1 ≤ i ≤ n, this bound gives a lower bound N L cor on the number of the ideal states in the remaining registers. If N L cor /(N total − nN test ) is large, the fidelity of the target register is also large, because Alice finally selects one registers uniformly random from the remaining registers.
where Π (i) is a set of registers used to perform the stabilizer test for g i ,Π (i) is a set of the remaining registers after finishing the stabilizer tests for g i , and we have used N total = 2nN test to derive the last equality. Let us set ν = √ c/n 2 , where c is any constant satisfying 64/5 < c < (n − 1) 2 /4. If Alice proceeds to step 4, we can guarantee, from Eqs. (14) and (15), that at least registers pass all of the stabilizer tests with probability larger than n i=1 q i ≥ q n n = 1 − exp −2ν 2 N test 1 1 + 1/n where we have used n ≥ 1 and N test ≥ 1 to derive the second inequality. Note that we assume n ≥ 9 in Theorem 1, but in order to simplify the calculation, we here use n ≥ 1.
Let us apply Eqs. (17) and (18) to an n-qubit graph state |G . It is known that is the orthonormal basis, where Z i is the Pauli-Z operator acting on the ith qubit, and a ≡ {a i } n i=1 . It means that any quantum state can be expanded by these basis states. Eqs. (17) and (18) means that when the state ρ of the remaining N total − nN test (≡ N rest ) registers is expanded by these basis states: where a ≡ (a 1 , . . . , a Nrest ) and a p a, a = 1, the sum a∈S p a, a is larger than 1 − n 1−5c/64 . Here, S is a set of a such that the number of a k all of whose entries are 0 is larger than (n − 2 √ c − 1)N test . With respect to qudit graph states, we can apply the same argument by replacing Eq. (19) with the qudit orthonormal basis where Z i is the qudit Pauli-Z operator acting on the ith qudit. With respect to CV weighted hypergraph states, we can also apply the same argument by replacing Eq. (19) with the CV orthonormal basis where Z i (s i ) ≡ e isixi is the Weyl-Heisenberg operator acting on the ith qumode.
Since only the ideal state |G (∈ {|G d , |G CV }) always passes the stabilizer test for g i for any i, the ratio of the number of ideal states to that of non-ideal quantum states in the remaining registers is larger than Since the uniform random selection in step 4 is equivalent to selecting the first register of the remaining registers after the random permutation, a state ρ tgt of the target register is written as in the worst case where Eq. (16) is minimized. Note that off diagonal elements do not affect the fidelity with |G because |G is orthogonal to other orthonormal basis states. From Eqs. (18) and (20), we finally conclude that G|ρ tgt |G ≥ 1 − 2 √ c + 1 n with probability larger than 1 − n 1−5c/64 .

APPENDIX B: PROOF OF THEOREM 2
In this Appendix, we give a proof of Theorem 2. Proof. We modify our protocol in Theorem 1 in such a way that Alice choosesñ registers uniformly at random in step 4. Let N rest and N L cor be the number of remaining registers after step 2 and the lower bound on the number of the correct states in the remaining registers, respectively. If we set parameters N total , N test , and N th as with Theorem 1, from Eqs. (17) and (18), are satisfied with probability at least 1 − n 1−5c/64 . In this case, the stateρ tgt of theñ registers can be written as Therefore, we obtain Ifñ = O(n t ), where t < 1, c + 1)5ñn 4 log n 5n 5 log n − 32(ñ − 1) .