An Introduction to Quantum Model Checking

Abstract

Model checking is a well-established and widely adopted framework used to verify whether a given system satisfies the desired properties. Properties are usually given by means of formulas from a specific logic; there are several logics that can be used, such as CTL and LTL, which permit the expression of different types of properties on the branching-time or on the linear-time evolution of the system. In this paper, we will consider the problem of model checking quantum systems and present the solutions given in literature for solving such a problem with respect to different types of properties.

1. Introduction

One of the main questions a designer needs to answer while developing a new system, being it a program, a protocol, or some hardware, is: how can I be sure my system works as expected? There are several ways to answer this question.

• One can test the system, by feeding it with several inputs and looking at the correctness of the generated output. However, as Dijkstra said in his Turing Award lecture [1],
  • “program testing can be a very effective way to show the presence of bugs, but is hopelessly inadequate for showing their absence.”
• In fact, if the testing inputs do not trigger the bug, it remains undetected, ready to cause damages once the system is deployed to production.
• One can manually prove that the system is correct by applying the techniques learned in programming and cryptography courses, such as by using Hoare logic/triples to prove properties of programs or by showing that the cryptographic protocol is provably secure. This approach provides the desired guarantees, but it is tedious, error prone, and reasonably applicable only to very small systems.
• One can apply one of the several techniques developed by researches specifically for this purpose, such as model checking, abstract interpretation, and high-order theorem proving. These techniques can be usually applied automatically to the system and are able to scale to large systems.

This latter approach provides the positive answer to our initial question.

1.1. The Successful Story of Model Checking

Since the seminal works of Clarke and Emerson [2] and Queille and Sifakis [3], model checking has gained a wide popularity in the formal verification community and in industry. This is mainly motivated by the fact that once the model checker gives green light to a system, we can be sure that the system that has been fed into the model checker fulfills all checked properties. On the other hand, if the model checker gives red light to some property, it is usually able to provide a counterexample witnessing why the specific property is violated; such a counterexample can be used by the developer to more easily trace the source of the bug and fix it.

Model checking has been used in a variety of scenarios, from hardware [4,5,6,7,8] to software [9,10,11,12,13], from communication [14,15,16,17] and security protocols [18] to pacemakers [19], from airplane and train control [20,21] to satellites and spacecrafts [22,23,24,25], just to cite a few examples; more applications of model checking can be found in literature and in several books summarizing the techniques and the results achieved by the researchers, see, e.g., [26,27,28,29,30,31,32,33]. We can identify a few core aspects from these applications, which should be considered when choosing the model checking technique that best fits our needs.

• The system can have a probabilistic behavior, as a result of internal random choices (such as the sampling of nonces in a security protocol) or of external uncertainty (the message is sent on a noisy channel that may alter it).
• The system can have a nondeterministic behavior, as the result of multiple components running in parallel and interacting with each other in no predefined order.
• The system needs to take care of the amount of time available for reacting to input or for completing its tasks: a collision avoidance system installed on an airplane needs to warn the pilot as soon as possible about the risk of the collision; it is certain that it needs to do so within the time limits imposed by the aviation authorities.

Depending on the presence or the absence of these and other aspects, different models and model checking algorithms have been developed specifically for them.

Given the successful application of model checking in several fields, researchers working on quantum systems considered the application of model checking techniques to verify the quantum protocols they were proposing. One of the obstacles in the manual verification of a quantum system is the fact that quantum mechanics is not really intuitive, since there are quantum phenomena for which researchers have no first-hand experience. Entanglement and superposition of the states, for instance, are not something that a person can encounter in daily life; probabilistic choices, instead, are at hand by just flipping a coin or rolling a dice. As a result, it is more likely for quantum designers to unintentionally introduce bugs in a protocol than for protocol designers working with classical systems, where they need to take care of nondeterministic and probabilistic aspects that can be experienced in our macro-scale world. Having erroneous protocols can have a large impact on the usability and reliability of quantum systems, in particular when their usage will become more practical by the advancements in the realization of quantum computers.

Researchers working on quantum systems have already proposed quantum protocols, such as quantum coin-flipping [34,35], quantum key distribution [34,35,36], and super-dense coding [37], that are at the core of quantum cryptography. Quantum cryptography can be considered a reasonable replacement for classical cryptography, in case the bases of the latter are mined by the achievements in quantum computation. Nowadays, classical cryptography is based on the assumption that operations, such as number factorization and discrete logarithm computation, are difficult to perform, so an attacker needs to spend a considerable amount of time and resources in order to obtain, say, the prime factors p and q out of the given large number $n=pq$. Since factorization and discrete logarithm computation are indeed difficult problems to be solved by ordinary computers, designers rely on them when proposing cryptographic protocols providing security and privacy to our daily life online activities. Quantum computing, however, makes them easy: for instance, Shor [38] already provided quantum algorithms for integer factorization and discrete logarithm computation that work in polynomial time. This justifies the need of quantum protocols that are strong enough to provide the desired levels of security and privacy; moreover, such protocols need to work as expected, and to be trusted to do so.

Model checking is an appropriate technique for verifying that quantum protocols behave correctly and to provide evidence that this is the case, since such a verification task is exactly the motivation why the model checking framework has been developed. In order to apply model checking on quantum protocols, we first need to answer two questions.

1.

How can we model formally the given quantum protocol?

2.

How can we specify the desired properties?

The reminder of the paper is devoted to the answer to these questions.

1.2. How Can We Model Formally the Given Quantum Protocol?

When modelling quantum systems for model checking them, one of the main characteristics we need to take into consideration is that a quantum system is, by its own nature, continuous. The state space of a quantum system is usually represented as a finite d-dimensional Hilbert space ${\mathcal{H}}_d$ (the vector space ${\mathbb{C}}^d$ equipped with an inner product operation), which is a continuum. Although the Hilbert space ${\mathcal{H}}_d$ can be finitely represented, for instance by taking d pairwise orthogonal vectors forming a basis for ${\mathcal{H}}_d$, the states in the state space are infinitely many. However, model checking usually expects to deal with finite state spaces, even when applied to continuous systems. For example, for continuous time Markov chains, the model still has a finite state space and the continuous time is represented by exponential distributions governing the delay in taking the transition from a state to another; for timed automata, the automaton has a finite number of locations and the continuous time is represented by clocks that increase uniformly and that enable, and possibly force, to take transitions to other locations. Depending on the formula to be analyzed, the continuous behavior of the system is first made discrete by applying different discretization techniques (such as regions and zones for timed automata), and then the obtained system is checked against the given property (cf. [26,27]).

Developing similar discretization techniques for quantum systems does not seem to be an easy task. Thus, researchers started to look for models with a finite number of states still able to encode the continuous quantum states. Instead of considering all quantum states of the system to analyze, Gay et al. [39,40] restricted the state space to a set of finitely describable stabilizer states; in addition, they also considered only quantum operations of the Clifford group. In this way, they were able to present an efficient model checker for quantum protocols based on purely classical algorithms; it has been implemented as an automatic tool that can be used to model check quantum communication protocols [41]. This approach, while being useful, is also limited: since it is based on stabilizer states, it does not extend to more general protocols involving non-stabilizer states. Independently from Gay et al., Hung et al. [42,43] adopted a similar approach for the synthesis of quantum circuits. In their work, they use a symbolic reachability analysis to formulate the problem of the quantum logic synthesis problem; in this way, they reduce the original problem to a multiple-valued logic synthesis problem, which simplifies the search space and the complexity of the synthesis problem.

In [44], Feng et al. overcome these limitations. The model for quantum protocols they introduced is defined on top of classical Markov chains: it keeps the classical, discrete state space of a Markov chain and replaces the probability values decorating the transitions between states with super-operators. This means that quantum states and operations are unrestricted, thus it is possible to model general quantum protocols.

We will present the model proposed by [44] in more details in Section 2 but, as an example, consider the simple loop program shown in the left part of Figure 1. This program first applies at line ${\ell }_0$ the $\frac{1}{2}$-amplitude damping channel $\mathcal{A}=\{E_0,E_1\}$, where $E_0=|0\rangle \langle 0|+\frac{1}{\sqrt{2}}|1\rangle \langle 1|$ and $E_1=\frac{1}{\sqrt{2}}|0\rangle \langle 1|$, on the quantum system q as initialization. Then, at line ${\ell }_1$ it measures q, by means of the two-outcome projective measurement $M={\lambda }_0|0\rangle \langle 0|+{\lambda }_1|1\rangle \langle 1|$. If the observed outcome is ${\lambda }_1$, then the program applies the Hadamard super-operator $\mathcal{G}$ to q and its outcome is measured again in line ${\ell }_1$. The application of $\mathcal{G}$ is repeated until the outcome ${\lambda }_0$ is observed: the program just terminates at line ${\ell }_3$. The corresponding quantum Markov chain is depicted on the right of Figure 1: the single lines of the program are taken as the classical states of the quantum Markov chain, while the instruction performed on each line is used to decorate the corresponding transition; note that we split the projective measurement M into the two super-operators ${\mathcal{E}}_0=\left\{|0\rangle \langle 0|\right\}$ and ${\mathcal{E}}_1=\left\{|1\rangle \langle 1|\right\}$, since there are two possible outcomes ${\lambda }_0$ and ${\lambda }_1$, respectively, leading to two different states/program lines. This simple loop program cannot be represented in the model given by Gay et al., since the $\frac{1}{2}$-amplitude damping channel $\mathcal{A}$ is not an operation available in the Clifford group.

In this paper we use the model of quantum Markov chains, as introduced by [44], to which we refer to for a more detailed comparison with other types of super-operator weighted Markov chains available in literature. This model is well suited to model quantum programs and protocols: as we have seen for the loop program above, representing the given program or protocol as a quantum Markov chain is not so complicated, since the classical states correspond to the single lines/steps of the quantum system, and the transitions are decorated with the (components of the) super-operators.

The main aspect to remember while modelling a quantum protocol in this framework is that the classical states do not represent the effect of the quantum operations on the quantum states, but only the current step in the algorithm. For instance, consider the quantum Markov chain shown in Figure 1: state ${\ell }_1$ represents the fact that we applied the operation $\mathcal{A}$ to the input quantum state q and that the next operation is its measurement, with two possible outcomes ${\mathcal{E}}_0\left(\mathcal{A}\left(q\right)\right)$ and ${\mathcal{E}}_1\left(\mathcal{A}\left(q\right)\right)$. However, state ${\ell }_1$ does not represent the actual quantum state $\mathcal{A}\left(q\right)$ and how it is modified by the different operations, or whether successive visits to ${\ell }_1$ correspond to the same state of the quantum system.

1.3. How Can We Specify the Desired Properties?

Once the quantum protocol has been modelled as a quantum Markov chain, we need to consider how to formalize the properties we want to analyze. For classical model checking problems, properties are expressed as formulas in some given logic; the most common ones are the Computation Tree Logic (CTL) [2], the Linear-time Temporal Logic (LTL) [45], and their combination CTL* [46].

CTL is a branching time logic that focuses on the possible future behaviors of a system, given by the different successors of the current state. This means that whenever we are in a state with multiple successors, we branch our future execution by considering all possible successors, such as the branches of a tree. CTL has two kinds of formulas: state formulas and path formulas. State formulas, as the name suggests, refer to the properties that each single state satisfies: basic facts represented by atomic propositions, conjunctions and negations of states formulas, and quantified path formulas, where the quantification is given by either the universal (∀) or the existential (∃) quantifier on the paths, i.e., the branches of the tree. Path formulas, instead, refer to what happens in the states that are visited along a single path, with different temporal operators characterizing the behavior of the sequence of states visited by the path.

LTL, as the name indicates, is a linear time logic that considers what happens along a single execution of the system, instead of considering all alternatives as in CTL. This means that along the execution, all choices about the successor states have already been resolved. Since LTL focuses on a single, whole execution at a time, it has only one kind of formulas that combine freely Boolean and temporal operators. $\omega$-regular properties extend LTL, by directly specifying the executions that are “good”; $\omega$-regular properties are given as the language of an automaton accepting infinite words (cf. [27]).

Depending on the characteristics of the system, such as the presence of probabilistic choices, rewards, or time information, these logics have been extended and adapted to use specific operators to take care of such additional characteristics. For instance, the probabilistic version of CTL, PCTL [47], replaces the path quantifiers of CTL with a single probability operator that is used to compute the probability of all paths satisfying the given path formula. PLTL [48] is similar: instead of requiring all paths to satisfy the formula, it just computes their probability and then checks whether it is bounded by the given threshold. This is a reasonable choice: in the probabilistic setting, a single path can violate the given path property; however, we can ignore it as long as its probability is negligible.

When moving to quantum systems, the logic also needs to be adapted. In this work, we consider the quantum extension of CTL given in [44] and of LTL as presented in [49], as well as the extension of CTL with a fidelity operator proposed in [50].

The former two logics can be considered the natural extension of PCTL and PLTL to quantum systems: instead of computing the probability of the paths, we compute the super-operator $\mathcal{E}$ accumulated along these paths and then we compare it with the given threshold super-operator $\mathcal{F}$. Such a comparison intuitively represents the fact that the success probability of performing $\mathcal{E}$ is bounded by the probability of performing $\mathcal{F}$, independently from the initial state. The idea underlying this choice is to use the logics to characterize classical aspects of the quantum system, given the fact that the quantum protocols usually aim at achieving some classical tasks, such as exchanging encryption keys or flipping coins. As an example of the properties we can express in this logic, we have the formula ${\mathbb{Q}}_{\gtrsim \mathcal{E}}\left[\mathbf{F}{\ell }_3\right]$. This formula holds whenever the probability that the loop program shown in Figure 1 eventually terminates is at least $\mathcal{E}$, for each initial quantum state. Therefore, to check whether the program terminates almost surely on any input, we can just use the formula ${\mathbb{Q}}_{\gtrsim \mathcal{I}}\left[\mathbf{F}{\ell }_3\right]$, where $\mathcal{I}$ is the identity super-operator which can be regarded as the value 1 in the context of probabilistic model checking.

Although the quantum counterparts of CTL and LTL seen above are able to quantify classical properties of quantum protocols, they are not able to quantify the similarity between two quantum states. In order to consider this similarity, the authors of [50] adopt the fidelity operator to represent the homonym popular measure used by the quantum community [51,52,53,54]. Fidelity can be used, for instance, to measure the effect of noise on the transmission of a quantum bit on a channel: if the received qubit is not affected by the noise, then fidelity reaches its maximal value 1; on the other hand, if the noise flips the qubit, then fidelity obtains its minimal value 0.

To summarize, quantum CTL can be used to formalize the branching-time behavior of the quantum system with respect to classical properties; quantum LTL considers linear-time properties instead of branching time properties, in the same setting; fidelity CTL, on the other hand, focuses on the quantum branching-time effects of the quantum system.

1.4. Organization of the Paper

After recalling from literature the preliminary definitions about quantum Markov chains in Section 2, we present in Section 3 how to model check quantum Markov chains against properties given in the quantum CTL; this section is mainly based on the results of [44]. Then, in Section 4, we consider the problem of checking properties involving the fidelity operator, which provides a means to know how well a super-operator preserves quantum states; we use [50] as reference. We present, in Section 5, how to check LTL and $\omega$-regular properties, with material taken from [49]. Lastly, in Section 6 we provide some final remark about quantum model checking.

We refer the readers interested in the technical details of the different constructions to the literature we used as reference. They can also refer to the recently published book [55], which provides more technical details about model checking quantum systems against the quantum CTL and LTL logics. It also gives a more comprehensive presentation of the basics of quantum theory and the challenges in adapting classical model checking techniques to the quantum setting; for instance, the authors of the book consider also quantum automata, that are well suited to represent closed quantum systems, i.e., quantum systems without interference from the environment. The quantum Markov chains we consider in this paper, instead, can be used to model open quantum systems, i.e., those that are affected by the environment, such as the presence of an eavesdropper trying to intercept the cryptographic key during the execution of a quantum key-exchange protocol. The book [55] is based on the same work available in literature about quantum CTL and LTL, so this paper can be considered also as an introduction, or a summary, for [55]. In this paper, however, we also present the results developed for model checking fidelity properties, not present in [55].

2. Quantum Markov Chains

In this section, we recall from literature the required notions and notations about quantum systems and quantum Markov chains. For a more thorough discussion, we refer the interested reader to, e.g., [44,50,56].

Given a finite dimensional Hilbert space $\mathcal{H}$, let $\mathcal{L}\left(\mathcal{H}\right)$ be the set of linear operators on it. Let $\mathcal{S}\left(\mathcal{H}\right)$ be the set of super-operators, where a super-operator is a completely positive linear operator on $\mathcal{L}\left(\mathcal{H}\right)$. We identify two specific super-operators in $\mathcal{S}\left(\mathcal{H}\right)$, namely ${\mathcal{I}}_{\mathcal{H}}$ and $0_{\mathcal{H}}$, that are the identity and the null super-operator, respectively. Given a finite set J of indices, for simplicity of presentation, we exchange freely a super-operator and its Kraus representation, that is, for a given super-operator $\mathcal{E}$, we write $\mathcal{E}=\{E_j\mid j\in J\}$ where $\{E_j\mid j\in J\}$ is a set of Kraus operators of $\mathcal{E}$; that is, $\mathcal{E}\left(A\right)={\sum }_{j\in j}{E}_{j}A{E}_j^{†}$ for all $A\in \mathcal{L}\left(\mathcal{H}\right)$, where $E_j^{†}$ is the complex conjugate and transpose of $E_j$. For any $\mathcal{E},\mathcal{F}\in \mathcal{S}\left(\mathcal{H}\right)$, we denote the composition of $\mathcal{E}$ and $\mathcal{F}$ by $(\mathcal{E}\circ \mathcal{F})\left(A\right)=\mathcal{E}\left(\mathcal{F}\right(A\left)\right)$. To simplify the notation, we may drop the symbol ∘ and just write $\mathcal{E}\mathcal{F}$ instead of $\mathcal{E}\circ \mathcal{F}$.

Super-operators can be (pre-)ordered according to their preservation of the trace. The trace of a linear operator $A\in \mathcal{L}\left(\mathcal{H}\right)$ is defined as ${\sum }_{i=1}^d\langle {\eta }_i|A|{\eta }_i\rangle$ where $\{|{\eta }_i\rangle \mid 1\le i\le d\}$ is an orthonormal basis of the Hilbert space $\mathcal{H}$ with dimension d. Let ${\mathcal{D}}^{}\left(\mathcal{H}\right)$ denote the set of partial density operators in $\mathcal{L}\left(\mathcal{H}\right)$, where we say that a linear operator $A\in \mathcal{L}\left(\mathcal{H}\right)$ is a partial density operator if A is positive (i.e., $\langle \eta |A|\eta \rangle \ge 0$ for all $|\eta \rangle \in \mathcal{H}$) and its trace $\mathrm{tr}\left(A\right)$ satisfies $\mathrm{tr}\left(A\right)\le 1$; we denote by ${\mathcal{D}}^1\left(\mathcal{H}\right)$ the set of density operators, that is, the partial density operators whose trace is 1. Recall that the trace of a partial density operator denotes the probability that the corresponding (normalized) quantum state is reached [57]. Given two super-operators $\mathcal{E},\mathcal{F}\in \mathcal{S}\left(\mathcal{H}\right)$, we write $\mathcal{E}\lesssim \mathcal{F}$ if for any $\rho \in {\mathcal{D}}^{}\left(\mathcal{H}\right)$, we have $\mathrm{tr}\left(\mathcal{E}\right(\rho \left)\right)\le \mathrm{tr}\left(\mathcal{F}\right(\rho \left)\right)$. Intuitively, $\mathcal{E}\lesssim \mathcal{F}$ means that the success probability of performing $\mathcal{E}$ is always at most the probability of performing $\mathcal{F}$, whatever the initial state is. We define ≂ to be $\lesssim \cap \gtrsim$.

For any $\rho \in {\mathcal{D}}^{}\left(\mathcal{H}\right)$, the support $\mathrm{supp}\left(\rho \right)$ is defined to be the space spanned by the eigenvectors of $\rho$ with non-zero eigenvalues. Let $\left\{X_k\right\}$ be a family of subspaces of $\mathcal{H}$. The join of $\left\{X_k\right\}$ is defined to be ${\bigvee }_k{X}_k=\mathrm{span}\left({\bigcup }_k{X}_k\right)$.

We denote by ${\mathcal{S}}^{\mathcal{I}}\left(\mathcal{H}\right)=\{\mathcal{E}\in \mathcal{S}\left(\mathcal{H}\right)\mid 0_{\mathcal{H}}\lesssim \mathcal{E}\lesssim {\mathcal{I}}_{\mathcal{H}}\}$ the set of trace-nonincreasing super-operators over $\mathcal{H}$. In particular, this means that $\mathcal{E}\in {\mathcal{S}}^{\mathcal{I}}\left(\mathcal{H}\right)$ if, and only if, for any $\rho \in {\mathcal{D}}^{}\left(\mathcal{H}\right)$, we have that $\mathrm{tr}\left(\mathcal{E}\right(\rho \left)\right)\in [0,1]$. For the reader familiar with the probabilistic setting, it is natural to consider the set ${\mathcal{S}}^{\mathcal{I}}\left(\mathcal{H}\right)$ as the quantum counterpart of the probability domain $[0,1]$. This is the underlying idea of the quantum Markov chains defined in [44].

Definition 1.

A super-operator weighted Markov chain $\mathfrak{M}$ over a Hilbert space $\mathcal{H}$ is a pair $\mathfrak{M}=(S,\mathbf{Q})$, where

• S is a finite set of classical states;
• $\mathbf{Q}:S\times S\to {\mathcal{S}}^{\mathcal{I}}\left(\mathcal{H}\right)$ is called the transition matrix where for each $s\in S$, the super-operator ${\sum }_{s^{\prime }\in S}\mathbf{Q}(s,s^{\prime })$ is trace-preserving, that is ${\sum }_{s^{\prime }\in S}\mathbf{Q}(s,s^{\prime })\eqsim {\mathcal{I}}_{\mathcal{H}}$.

We just refer to this kind of Markov chains as quantum Markov chains (QMCs).

Similar to the setting of classical Markov chains, to talk about the (probability) measure of different events in a quantum Markov chain, we need to introduce a measurable space and the measure we want to use. The basic events of the measurable space will be based on the notion of path.

Given a QMC $\mathfrak{M}=(S,\mathbf{Q})$, we call a finite or infinite sequence $\sigma =s_0{s}_1\cdots$ of states in S a path of $\mathfrak{M}$ if, for each valid index $i\ge 1$, we have $\mathbf{Q}(s_{i-1},s_i)\ne 0_{\mathcal{H}}$. We denote by ${\mathrm{Path}}_{\mathit{fin}}^{\mathfrak{M}}$ the set of finite paths and by ${\mathrm{Path}}^{\mathfrak{M}}$ the set of infinite paths. We let $\sigma \left[i\right]$ denote the state $s_i$.

The basic events of our measurable space are the cylinder sets of finite paths. We define the cylinder set of the finite path $\sigma =s_0{s}_1\cdots s_n$ to be the set $\mathit{Cyl}\left(\sigma \right)=\{{\sigma }^{\prime }\in {\mathrm{Path}}^{\mathfrak{M}}\mid \forall 0\le i\le n:\sigma \left[i\right]={\sigma }^{\prime }\left[i\right]\}$. In practice, the cylinder set of a finite path $\sigma$ contains all possible infinite paths that are an extension of $\sigma$.

Let $({\mathrm{Path}}^{\mathfrak{M}},\mathsf{\Sigma })$ be a measurable space where $\mathsf{\Sigma }$ is the $\sigma$-algebra generated by all the cylinder sets $\mathit{Cyl}\left(\sigma \right)$ where $\sigma \in {\mathrm{Path}}_{\mathit{fin}}^{\mathfrak{M}}$. For any $s\in S$, we define the measure $Q_s^{\mathfrak{M}}:{\mathrm{Path}}_{\mathit{fin}}^{\mathfrak{M}}\to \mathcal{S}\left(\mathcal{H}\right)$ as follows. Given the finite path $\sigma =s_0{s}_1\cdots s_n$,

$$Q_s^{\mathfrak{M}}(s_0{s}_1\cdots s_n)=\left\{\begin{array}{cc}{0}_{\mathcal{H}}\hfill & \mathrm{if}{s}_0\ne s;\hfill \\ {\mathcal{I}}_{\mathcal{H}}\hfill & \mathrm{if}{s}_0=s\mathrm{and}n=0;\hfill \\ \mathbf{Q}(s_{n-1},s_n)\mathbf{Q}(s_{n-2},s_{n-1})\cdots \mathbf{Q}(s_0,s_1)\hfill & \mathrm{if}{s}_0=s\mathrm{and}n>0.\hfill \end{array}\right.$$

Then, $Q_s^{\mathfrak{M}}$ induces a (super-operator valued) measure on $({\mathrm{Path}}^{\mathfrak{M}},\mathsf{\Sigma })$, also denoted by $Q_s^{\mathfrak{M}}$ for simplicity, by setting $Q_s^{\mathfrak{M}}\left(\mathit{Cyl}\left(\sigma \right)\right)=Q_s^{\mathfrak{M}}\left(\sigma \right)$. According to [44] (Theorem 3.2), this measure is unique up to ≂.

In the reminder of the paper, we are interested in analyzing properties of a given QMC. We assign labels to the states of the QMC to indicate the basic properties that hold in each state, that is, we decorate each state of the QMC with the atomic propositions it satisfies. Atomic propositions represent some simple known facts we want to express about the single states of the system, such as “the execution is terminated”, “the measured qubits are different”, “eavesdropping detected”, and so on. Thus, we consider an extension of QMCs in which each state obtains assigned atomic propositions by a labelling function.

Definition 2.

A labelled quantum Markov chain (LQMC) is a tuple $\mathfrak{M}=(S,\mathbf{Q},\mathit{AP},L)$ where $(S,\mathbf{Q})$ is a QMC and

• $\mathit{AP}$ is a finite set of atomic propositions and
• $L:S\to 2^{\mathit{AP}}$ is a labelling function.

The notions of paths, measures, etc. given above extend in the natural way to LQMCs; for the labelling from states to paths, we set $L(s_0{s}_1{s}_2\cdots )=L\left(s_0\right)L\left(s_1\right)L\left(s_2\right)\cdots$.

3. Model Checking CTL Properties

As we have seen in the introduction, the branching time logic CTL focuses on the possible future behaviors of a system, given by the different successors of the current state, instead of a single execution as in LTL and $\omega$-regular properties. CTL has two kinds of formulas: state formulas and path formulas. State formulas, as the name suggests, refer to the properties that the single states satisfy: basic facts represented by atomic propositions, conjunctions and negations of states formulas, and quantified path formulas, where the quantification is given by either the universal (∀) or the existential (∃) quantifier. Path formulas, instead, refer to what happens to the states that are visited along a single paths. This “state-based” nature of CTL makes the CTL model checking problem, i.e., whether a system satisfies a given CTL formula, rather easy and intuitive, which results in the development of efficient algorithms; see, e.g., [26,27] for more details. The quantum counterpart of CTL, QCTL [44], replaces the path quantifiers ∀ and ∃ with a single quantum quantifier ${\mathbb{Q}}_{\sim \mathcal{E}}$, which accumulates the super-operators corresponding to the paths satisfying the given path formula, and then compares it with $\mathcal{E}$. This is similar to the probabilistic CTL, where the path quantifiers are replaced by the probabilistic operator ${\mathbb{P}}_{\sim p}$ computing the overall probability of the satisfying paths and comparing it with p.

3.1. The Model Checking Problem

We start with the LQMC $\mathfrak{M}$ and the property $\phi$ we want to verify. The property is usually given as a QCTL state formula $\phi$, that is, a formula expressible according to the following grammar:

$$\begin{array}{cc}\hfill \phi & ::=a\mid \phi \wedge \phi \mid \neg \phi \mid {\mathbb{Q}}_{\sim \mathcal{E}}\left[\psi \right]\hfill \\ \hfill \psi & ::=\mathbf{X}\phi \mid \phi {\mathbf{U}}^{\le k}\phi \mid \phi \mathbf{U}\phi ,\hfill \end{array}$$

where $a\in \mathit{AP}$ is taken from the given finite set of atomic propositions, $\sim \in \{\lesssim ,\gtrsim ,\eqsim \}$, $\mathcal{E}\in {\mathcal{S}}^{\mathcal{I}}\left(\mathcal{H}\right)$, and $k\in \mathbb{N}$ is a bound. The $\psi$ formulas $\mathbf{X}\phi$, ${\phi }_1{\mathbf{U}}^{\le k}{\phi }_2$, and ${\phi }_1\mathbf{U}{\phi }_2$ are usually referred to as path formulas. In addition to the usual Boolean operators ∧ and ¬, the QCTL logic makes use of the temporal operators Next $\mathbf{X}$, Until $\mathbf{U}$, and bounded Until ${\mathbf{U}}^{\le k}$. We freely use the usual syntactic sugar like the Boolean operators $\mathbf{false}$, $\mathbf{true}$, ∨, ⇒, and ⇔ and the temporal operator Finally/Eventually $\mathbf{F}\phi =\mathbf{true}\mathbf{U}\phi$. In literature, it is possible to find the temporal operators ◯ and ⋄, corresponding to $\mathbf{X}$ and $\mathbf{F}$, respectively.

The semantics of QCTL is given by means of the satisfaction relation ⊧, defined as follows. For state formulas, given a state $s\in S$, we have

$$\begin{array}{cccc}\hfill s\vDash a& \hfill & & \mathrm{if}a\in L\left(s\right);\hfill \\ \hfill s\vDash {\phi }_1\wedge {\phi }_2& \hfill & & \mathrm{if}s\vDash {\phi }_1\mathrm{and}s\vDash {\phi }_2;\hfill \\ \hfill s\vDash \neg \phi & \hfill & & \mathrm{if}\mathrm{it}\mathrm{is}\mathrm{not}\mathrm{the}\mathrm{case}\mathrm{that}s\vDash \phi ;\mathrm{and}\hfill \\ \hfill s\vDash {\mathbb{Q}}_{\sim \mathcal{E}}\left[\psi \right]& \hfill & & \mathrm{if}{Q}_s^{\mathfrak{M}}\left(\{\sigma \in {\mathrm{Path}}^{\mathfrak{M}}\mid \sigma \vDash \psi \}\right)\sim \mathcal{E}.\hfill \end{array}$$

For path formulas, given a path $\sigma \in {\mathrm{Path}}^{\mathfrak{M}}$, we have

$$\begin{array}{cccc}\hfill 1-1\sigma \vDash \mathbf{X}\phi & \hfill & & \mathrm{if}\sigma \left[1\right]\vDash \phi ;\hfill \\ \hfill \sigma \vDash {\phi }_1{\mathbf{U}}^{\le k}{\phi }_2& \hfill & & \mathrm{if}\exists 0\le n\le k:\sigma \left[n\right]\vDash {\phi }_2\mathrm{and}\forall 0\le i<n:\sigma \left[i\right]\vDash {\phi }_1;\hfill \\ \hfill \sigma \vDash {\phi }_1\mathbf{U}{\phi }_2& \hfill & & \mathrm{if}\exists n\in \mathbb{N}:\sigma \left[n\right]\vDash {\phi }_2\mathrm{and}\forall 0\le i<n:\sigma \left[i\right]\vDash {\phi }_1.\hfill \end{array}$$

The model checking problem for LQMCs against a QCTL state formula $\phi$ is formalized as follows.

Definition 3.

Let $\mathfrak{M}$ be an LQMC, $s\in S$ be a state, and φ be a QCTL state formula. The model checking problem for $\mathfrak{M}$ against φ asks to verify whether $s\vDash \phi$ holds.

3.2. The Standard Bottom-Up Approach

As said previously, the QCTL properties are kind of “state-based” properties. The algorithm for checking whether an LQMC $\mathfrak{M}$ satisfies a given QCTL state property $\phi$ mimics the similar algorithms developed for CTL and PCTL: the state formula $\phi$ is analyzed from bottom to top, and for each of its state subformulas, the set of states satisfying the subformula is computed. When a quantified path formula needs to be analyzed, different techniques are used according to the underlying temporal operator.

Let $\mathit{Sat}\left(\phi \right)$ denote the set of states satisfying the QCTL state formula $\phi$, that is, $\mathit{Sat}\left(\phi \right)=\{s\in S\mid s\vDash \phi \}$. The set $\mathit{Sat}\left(\phi \right)$ can be computed recursively on the structure of $\phi$ as follows.

$$\begin{array}{cc}\hfill \mathit{Sat}\left(a\right)& =\{s\in S\mid a\in L(s\left)\right\}\hfill \\ \hfill \mathit{Sat}({\phi }_1\wedge {\phi }_2)& =\mathit{Sat}\left({\phi }_1\right)\cap \mathit{Sat}\left({\phi }_2\right)\hfill \\ \hfill \mathit{Sat}(\neg \phi )& =S\backslash \mathit{Sat}\left(\phi \right)\hfill \\ \hfill \mathit{Sat}\left({\mathbb{Q}}_{\sim \mathcal{E}}\left[\psi \right]\right)& =\{s\in S\mid Q_s^{\mathfrak{M}}\left(\{\sigma \in {\mathrm{Path}}^{\mathfrak{M}}\mid \sigma \vDash \psi \}\right)\sim \mathcal{E}\}\hfill \end{array}$$

The above algorithm for computing the satisfaction set $\mathit{Sat}\left(\phi \right)$ of a QCTL state formula $\phi$ relies on the computation of the super-operator that is ≂-equivalent to $Q_s^{\mathfrak{M}}$ and then ∼-compares it with $\mathcal{E}$. The computation of $Q_s^{\mathfrak{M}}$ depends on the actual path formula that needs to be satisfied; to simplify the notation, below we just write $Q_s^{\mathfrak{M}}\left(\psi \right)$ to mean $Q_s^{\mathfrak{M}}\left(\{\sigma \in {\mathrm{Path}}^{\mathfrak{M}}\mid \sigma \vDash \psi \}\right)$.

Consider the Next operator $\mathbf{X}$. The computation of $Q_s^{\mathfrak{M}}\left(\mathbf{X}\phi \right)$ is rather easy: by hypothesis, we already have computed $\mathit{Sat}\left(\phi \right)$, so $Q_s^{\mathfrak{M}}\left(\mathbf{X}\phi \right)$ reduces to compute the overall super-operator leading to the successors of s that belong to $\mathit{Sat}\left(\phi \right)$, namely,

$$Q_s^{\mathfrak{M}}\left(\mathbf{X}\phi \right)\eqsim \sum _{s^{\prime }\in \mathit{Sat}\left(\phi \right)}\mathbf{Q}(s,s^{\prime }).$$

Consider, now, the bounded Until operator ${\mathbf{U}}^{\le k}$. The computation of $Q_s^{\mathfrak{M}}\left({\phi }_1{\mathbf{U}}^{\le k}{\phi }_2\right)$ is a bit more involved: since k is a given finite natural number, we can just consider $\mathfrak{M}$ and unfold it k times; then, we accumulate the super-operators layer by layer, as long as the states satisfy the conditions given by the semantic of ${\mathbf{U}}^{\le k}$. Formally, we have that $Q_s^{\mathfrak{M}}\left({\phi }_1{\mathbf{U}}^{\le k}{\phi }_2\right)$ is ≂-equivalent to

$$\left\{\begin{array}{cc}{\mathcal{I}}_{\mathcal{H}}\hfill & \mathrm{if}s\in \mathit{Sat}\left({\phi }_2\right);\hfill \\ \sum _{s^{\prime }\in S}{Q}_{s^{\prime }}^{\mathfrak{M}}\left({\phi }_1{\mathbf{U}}^{\le k-1}{\phi }_2\right)\mathbf{Q}(s,s^{\prime })\hfill & \mathrm{if}k>0\mathrm{and}s\in \mathit{Sat}\left({\phi }_1\right)\backslash \mathit{Sat}\left({\phi }_2\right);\hfill \\ 0_{\mathcal{H}}\hfill & \mathrm{otherwise}.\hfill \end{array}\right.$$

Intuitively, this is essentially the application of the Next $\mathbf{X}$ operator k times, while checking the satisfaction of ${\phi }_1$ and ${\phi }_2$, since ${\phi }_1{\mathbf{U}}^{\le k}{\phi }_2$ is equivalent to ${\phi }_2$ when $k=0$ and to ${\phi }_2\vee ({\phi }_1\wedge \mathbf{X}\left({\phi }_1{\mathbf{U}}^{\le k-1}{\phi }_2\right))$ when $k\ge 1$.

The last case, the (unbounded) Until operator $\mathbf{U}$, is more challenging: intuitively, it is just the limit for k to infinity of the bounded case. However, a naïve computation of such a limit is likely to be inefficient, so it is preferable to adopt a different approach, such as the one underlying the PCTL model checking algorithm that is based on a fixed point computation. To this end, we partition the state space S into three sets: $S^{{\mathcal{I}}_{\mathcal{H}}}$, with all states that we are sure satisfy ${\phi }_1\mathbf{U}{\phi }_2$; we can assign the super-operator ${\mathcal{I}}_{\mathcal{H}}$ to these states. $S^{0_{\mathcal{H}}}$, containing the states that we are sure do not satisfy ${\phi }_1\mathbf{U}{\phi }_2$; we can assign the super-operator $0_{\mathcal{H}}$ to these states. $S^{?}$, for the remaining states for which we do not know whether they satisfy ${\phi }_1\mathbf{U}{\phi }_2$ and for which we cannot assign a predefined super-operator. States that belong to $S^{{\mathcal{I}}_{\mathcal{H}}}$ are clearly those in $\mathit{Sat}\left({\phi }_2\right)$, as well as those in $\mathit{Sat}\left({\phi }_1\right)$ that cannot avoid to reach $S^{{\mathcal{I}}_{\mathcal{H}}}$ in one step. Symmetrically, it is certain that the states in $S\backslash (\mathit{Sat}\left({\phi }_1\right)\cup \mathit{Sat}\left({\phi }_2\right))$ belong to $S^{0_{\mathcal{H}}}$, since they clearly violate ${\phi }_1\mathbf{U}{\phi }_2$; moreover, also the states that have no way to reach $\mathit{Sat}\left({\phi }_2\right)$ in the underlying graph can be included in $S^{0_{\mathcal{H}}}$.

Regarding the super-operator to assign at the states in $S^{?}$, by [44] (Theorem 5.1) it is the least fixed point of the function $f\left(X\right)=X\mathcal{T}+\mathcal{G}$, where $\mathcal{T}$ and $\mathcal{G}$ are two matrices indexed by the states in $S^{?}$ and whose entries depend on $\mathbf{Q}$. More formally, Theorem 5.1 of [44] shows that, given the matrices $\mathcal{T}={\left(\mathbf{Q}(s^{\prime },s)\right)}_{s,s^{\prime }\in S^{?}}$ of size $|S^{?}|\times |S^{?}|$ and $\mathcal{G}={\left({\sum }_{s^{\prime }\in S^{{\mathcal{I}}_{\mathcal{H}}}}\mathbf{Q}(s,s^{\prime })\right)}_{s\in S^{?}}$ of size $1\times |S^{?}|$, it holds that $Q_s^{\mathfrak{M}}\left({\phi }_1\mathbf{U}{\phi }_2\right)\eqsim {\tilde{\mathcal{E}}}_s$, where $\tilde{\mathcal{E}}$ is the least fixed point of $f\left(X\right)=X\mathcal{T}+\mathcal{G}$ and ${\tilde{\mathcal{E}}}_s$ is the entry of $\tilde{\mathcal{E}}$ relative to the state s. The matrix $\mathcal{G}$ represents the super-operators that lead each state $s\in S^{?}$ to the goal set $S^{{\mathcal{I}}_{\mathcal{H}}}$ in one step; the matrix $\mathcal{T}$ instead contains the super-operators that in one step lead each state $s\in S^{?}$ to other states also in $S^{?}$. Note that we do not need to consider the super-operators leading to $S^{0_{\mathcal{H}}}$ since they would lead to a failure in satisfying the formula ${\phi }_1\mathbf{U}{\phi }_2$. Detailed algorithms for the computation of $Q_s^{\mathfrak{M}}\left({\phi }_1\mathbf{U}{\phi }_2\right)$, based on Jordan decomposition or matrix inversion, can be found in [49,50].

Example 1.

As an example of application of quantum CTL, consider the QMC shown in Figure 1 and its labelled counterpart where each classical state ${\ell }_i$ obtains label ${\ell }_i$, that is, we only assign the state name as the label for the state. As formula, consider ${\mathbb{Q}}_{\gtrsim {\mathcal{I}}_{\mathcal{H}}}\left[(\neg {\ell }_2)\mathbf{U}{\ell }_3\right]$, which requires to check whether the super-operator corresponding to the paths that eventually reach ${\ell }_3$ without passing through ${\ell }_2$ is at least ${\mathcal{I}}_{\mathcal{H}}$. The algorithm for model checking this property works as follows: we start from the state properties in the leaves of the parsing tree of ${\mathbb{Q}}_{\gtrsim {\mathcal{I}}_{\mathcal{H}}}\left[(\neg {\ell }_2)\mathbf{U}{\ell }_3\right]$, that is, ${\ell }_2$ and ${\ell }_3$, and we compute $\mathit{Sat}\left({\ell }_2\right)=\left\{{\ell }_2\right\}$ and $\mathit{Sat}\left({\ell }_3\right)=\left\{{\ell }_3\right\}$. Then, we compute $\mathit{Sat}(\neg {\ell }_2)=\{{\ell }_0,{\ell }_1,{\ell }_3\}$. Now we can compute the super-operator associated with the paths satisfying the path formula $(\neg {\ell }_2)\mathbf{U}{\ell }_3$.

We initialize the sets $S^{{\mathcal{I}}_{\mathcal{H}}}$, $S^{0_{\mathcal{H}}}$, and $S^{?}$ as $S^{{\mathcal{I}}_{\mathcal{H}}}=\left\{{\ell }_3\right\}$, $S^{0_{\mathcal{H}}}=\left\{{\ell }_2\right\}$, and $S^{?}=\{{\ell }_0,{\ell }_1\}$. The Bellman equations for the states in $S^{?}$ are the following, once we plug in the known values $0_{\mathcal{H}}$ and ${\mathcal{I}}_{\mathcal{H}}$ for the states in $S^{0_{\mathcal{H}}}$ and $S^{{\mathcal{I}}_{\mathcal{H}}}$, respectively: $X_{{\ell }_0}\eqsim X_{{\ell }_1}\mathcal{A}$ and $X_{{\ell }_1}\eqsim {\mathcal{E}}_0$, which correspond to the least fixed point of the function $f\left(X\right)=X\mathcal{T}+\mathcal{G}$, where

$$\begin{array}{cccc}\hfill \mathcal{T}& =\left(\begin{array}{cc}{0}_{\mathcal{H}}& 0_{\mathcal{H}}\\ \mathcal{A}& 0_{\mathcal{H}}\end{array}\right)\hfill & \hfill \mathcal{G}& =\left(\begin{array}{cc}{0}_{\mathcal{H}}& {\mathcal{E}}_0\end{array}\right)\hfill \end{array}$$

used in [44] (Theorem 5.1). The final result is $X_{{\ell }_0}\eqsim {\mathcal{E}}_0\mathcal{A}$ and $X_{{\ell }_1}\eqsim {\mathcal{E}}_0$, for which we have $X_{{\ell }_0}\neg \gtrsim {\mathcal{I}}_{\mathcal{H}}$, as well as $X_{{\ell }_1}\neg \gtrsim {\mathcal{I}}_{\mathcal{H}}$. Thus, we obtain $\mathit{Sat}\left({\mathbb{Q}}_{\gtrsim {\mathcal{I}}_{\mathcal{H}}}\left[(\neg {\ell }_2)\mathbf{U}{\ell }_3\right]\right)=\left\{{\ell }_3\right\}$, since ${\ell }_3$ is the only state from which the computed super-operator is at least ${\mathcal{I}}_{\mathcal{H}}$.

3.3. Complexity of the QCTL Model Checking Problem

As said at the beginning of this section, textbooks like [26,27] provide a detailed analysis of the model checking algorithms for CTL and PCTL, and they show that such algorithms are efficient. More precisely, such algorithms are polynomial in both the size of the model $\mathfrak{M}$ and the size of the state formula $\phi$; the size $\left|\phi \right|$ of $\phi$ is defined [47] as the number of logical connectives and temporal operators in $\phi$ plus the sum of the size $log\left(k\right)$ of each bounded temporal operators ${\mathbf{U}}^{\le k}$ occurring in $\phi$.

This polynomial complexity carries over the QCTL model checking problem: according to [44], the complexity is polynomial in the size of $\mathfrak{M}$, of $\phi$, and the dimension of the Hilbert space $\mathcal{H}$.

4. Model Checking Fidelity Properties

The quantum CTL logic we have considered in the previous sections focus on the probability of events, as carried by the computed super-operator. For instance, when model checking an LQMC against a CTL formula ${\mathbb{Q}}_{\sim \mathcal{E}}\left[\psi \right]$, we solve the problem to check whether $Q_s^{\mathfrak{M}}\left(\{\sigma \in {\mathrm{Path}}^{\mathfrak{M}}\mid L\left(\sigma \right)\in \mathit{Words}\left(\psi \right)\}\right)\sim \mathcal{E}$ for some given $\sim \in \{\lesssim ,\gtrsim ,\eqsim \}$ and $\mathcal{E}\in {\mathcal{S}}^{\mathcal{I}}\left(\mathcal{H}\right)$ (cf. Definition 3). This means, more precisely, to check whether, for each $\rho \in {\mathcal{D}}^{}\left(\mathcal{H}\right)$, the trace of $Q_s^{\mathfrak{M}}\left(\{\sigma \in {\mathrm{Path}}^{\mathfrak{M}}\mid L\left(\sigma \right)\in \mathit{Words}\left(\psi \right)\}\right)\left(\rho \right)$ is bounded by the trace of $\mathcal{E}\left(\rho \right)$.

Quantum CTL is not able to characterize the effect of the super-operators on the quantum states, unless this is reflected on the probability value of their trace. This means, for instance, that the effect of a measurement can be recognized, since the associated probability value is likely to decrease; on the other hand, a bit flip remains undetected, since the whole probability mass is preserved.

To express properties about how well the super-operator modelled by the QMC preserves the quantum state it is applied on a different operator is needed, such as a fidelity operator. The logic we consider is the Fidelity CTL logic (FCTL) proposed in [50], also based on CTL. (The authors of [50] call this logic Quantum CTL. Instead, we call it Fidelity CTL to avoid confusion with the homonym logic in Section 3.) As such, this logic is essentially the same as the classical and probabilistic CTL from literature, and QCTL considered in Section 3. The only difference is on the operator wrapping the path formulas: instead of using the universal ∀, existential ∃, probabilistic ${\mathbb{P}}_{\sim p}$, or quantum ${\mathbb{Q}}_{\sim \mathcal{E}}$ operators, FCTL uses the fidelity operator ${\mathbb{F}}_{\sim \tau }$, to check whether the fidelity is bounded by $\tau$. (For uniformity of notation, we use the operator ${\mathbb{F}}_{\sim \tau }$ instead of the operator ${\mathfrak{F}}_{\sim \tau }$ that is used in [50]).

4.1. The Model Checking Problem

Similarly to the other model checking problems, we are given the LQMC $\mathfrak{M}$ and the property $\phi$ we want to verify. The property is usually provided as an FCTL state formula $\phi$ respecting the following grammar:

$$\begin{array}{cc}\hfill \phi & ::=a\mid \phi \wedge \phi \mid \neg \phi \mid {\mathbb{F}}_{\sim \tau }\left[\psi \right]\hfill \\ \hfill \psi & ::=\mathbf{X}\phi \mid \phi {\mathbf{U}}^{\le k}\phi \mid \phi \mathbf{U}\phi ,\hfill \end{array}$$

where $a\in \mathit{AP}$, $\sim \in \{\le ,\ge \}$, $\tau \in \mathbb{Q}\cap [0,1]$ is a threshold, and $k\in \mathbb{N}$. Note that all other comparisons, such as <, >, =, and ≠, that could be used as ∼ in ${\mathbb{F}}_{\sim \tau }\left[\psi \right]$ can be derived from ≤ and ≥ with the help of conjunction and negation.

As we can see, the only difference between QCTL and FCTL is that ${\mathbb{Q}}_{\sim \mathcal{E}}\left[\psi \right]$ has been replaced with ${\mathbb{F}}_{\sim \tau }\left[\psi \right]$. This means that also the semantics of FCTL differs from the one of QCTL only for this path quantifier. We give the full semantics of FCTL for completeness. Given a state $s\in S$ and a path $\sigma \in {\mathrm{Path}}^{\mathfrak{M}}$, we have

$$\begin{array}{cccc}\hfill s\vDash a& \hfill & & \mathrm{if}a\in L\left(s\right);\hfill \\ \hfill s\vDash {\phi }_1\wedge {\phi }_2& \hfill & & \mathrm{if}s\vDash {\phi }_1\mathrm{and}s\vDash {\phi }_2;\hfill \\ \hfill s\vDash \neg \phi & \hfill & & \mathrm{if}\mathrm{it}\mathrm{is}\mathrm{not}\mathrm{the}\mathrm{case}\mathrm{that}s\vDash \phi ;\hfill \\ \hfill s\vDash {\mathbb{F}}_{\sim \tau }\left[\psi \right]& \hfill & & \mathrm{if}\underline{\mathrm{Fid}}\left(Q_s^{\mathfrak{M}}\left(\{\sigma \in {\mathrm{Path}}^{\mathfrak{M}}\mid \sigma \vDash \psi \}\right)\right)\sim \tau ;\hfill \\ \hfill \sigma \vDash \mathbf{X}\phi & \hfill & & \mathrm{if}\sigma \left[1\right]\vDash \phi ;\hfill \\ \hfill \sigma \vDash {\phi }_1{\mathbf{U}}^{\le k}{\phi }_2& \hfill & & \mathrm{if}\exists 0\le n\le k:\sigma \left[n\right]\vDash {\phi }_2\mathrm{and}\forall 0\le i<n:\sigma \left[i\right]\vDash {\phi }_1;\mathrm{and}\hfill \\ \hfill \sigma \vDash {\phi }_1\mathbf{U}{\phi }_2& \hfill & & \mathrm{if}\exists n\in \mathbb{N}:\sigma \left[n\right]\vDash {\phi }_2\mathrm{and}\forall 0\le i<n:\sigma \left[i\right]\vDash {\phi }_1.\hfill \end{array}$$

Given a super-operator $\mathcal{E}$, the $\underline{\mathrm{Fid}}$ operator is defined as

$$\underline{\mathrm{Fid}}\left(\mathcal{E}\right)=\underset{\rho \in {\mathcal{D}}^1\left(\mathcal{H}\right)}{min}\mathrm{Fid}(\mathcal{E},\rho )$$

where

$$\mathrm{Fid}(\mathcal{E},\rho )=\sqrt{{\rho }^{1/2}\mathcal{E}\left(\rho \right){\rho }^{1/2}}.$$

When $\rho$ is a pure state $\rho =|\eta \rangle \langle \eta |$, then $\mathrm{Fid}(\mathcal{E},|\eta \rangle \langle \eta |)=\sqrt{\langle \eta |\mathcal{E}\left(|\eta \rangle \langle \eta |\right)|\eta \rangle }$; moreover, by the joint concavity property (cf. [56] (Exercise 9.19)), it holds that ${min}_{\rho \in {\mathcal{D}}^1\left(\mathcal{H}\right)}\mathrm{Fid}(\mathcal{E},\rho )={min}_{|\eta \rangle \in \mathcal{H}}\mathrm{Fid}(\mathcal{E},|\eta \rangle \langle \eta |)$.

The model checking problem for LQMCs against an FCTL state formula $\phi$ is the natural counterpart of the one against QCTL (cf. Definition 3).

Definition 4.

Let $\mathfrak{M}$ be an LQMC, $s\in S$ be a state, and φ be an FCTL state formula. The model checking problem for $\mathfrak{M}$ against φ asks to verify whether $s\vDash \phi$ holds.

4.2. The Standard Bottom–Up Approach

As one can reasonably expect, the model checking algorithm for FCTL is analogous to the one for QCTL: it follows a bottom-up approach to compute the sets $\mathit{Sat}\left({\phi }^{\prime }\right)$ for each the state subformula ${\phi }^{\prime }$ occurring in the formula $\phi$ we need to verify. Everything is the same, except for the evaluation of $\mathit{Sat}\left({\mathbb{F}}_{\sim \tau }\left[\psi \right]\right)$. For this, first the matrix representation of the super-operator ${\mathcal{E}}_s=Q_s^{\mathfrak{M}}\left(\{\sigma \in {\mathrm{Path}}^{\mathfrak{M}}\mid \sigma \vDash \psi \}\right)$ is obtained, which corresponds to the analogous computation for QCTL. Then, the expression $\underline{\mathrm{Fid}}\left({\mathcal{E}}_s\right)\sim \tau$ is evaluated by converting it to the quantified constraint ${\mathtt{Q}}_{\sim }|\eta \rangle \in \mathcal{H}:\mathrm{Fid}({\mathcal{E}}_s,|\eta \rangle \langle \eta |)\sim \tau$, where ${\mathtt{Q}}_{\le }=\exists$ and ${\mathtt{Q}}_{\ge }=\forall$. The resulting constraint, after some appropriate manipulation, is then verified by means of the existential theory of the reals.

Example 2.

As an example of the application of the fidelity operator, consider the QMC for the loop program depicted in Figure 1 and the fidelity formula ${\mathbb{F}}_{\ge 1}\left[(\neg {\ell }_2)\mathbf{U}{\ell }_3\right]$. We have already computed in Example 1 the super-operators $X_{{\ell }_i}$ corresponding to the path formula $(\neg {\ell }_2)\mathbf{U}{\ell }_3$ for each state ${\ell }_i$, that is, $X_{{\ell }_0}\eqsim {\mathcal{E}}_0\mathcal{A}$, $X_{{\ell }_1}\eqsim {\mathcal{E}}_0$, $X_{{\ell }_2}\eqsim 0_{\mathcal{H}}$, and $X_{{\ell }_3}\eqsim {\mathcal{I}}_{\mathcal{H}}$. The formula ${\mathbb{F}}_{\ge 1}\left[(\neg {\ell }_2)\mathbf{U}{\ell }_3\right]$ holds in the state ${\ell }_i$ if the corresponding super-operator $X_{{\ell }_i}$ is such that ${min}_{|\eta \rangle \in \mathcal{H}}\mathrm{Fid}(X_{{\ell }_i},|\eta \rangle \langle \eta |)\ge 1$; this holds only when $X_{{\ell }_i}\eqsim {\mathcal{I}}_{\mathcal{H}}$ (cf. [50]), which is true only for ${\ell }_3$.

The technical details for the constructions presented in this section, as well as some improvements on the computation of $Q_s^{\mathfrak{M}}\left(\{\sigma \in {\mathrm{Path}}^{\mathfrak{M}}\mid \sigma \vDash \psi \}\right)$, are rather involved; the interested reader can find them in [50] (Section 5), together with examples showing their application.

4.3. Complexity of the FCTL Model Checking Problem

Since FCTL differs from CTL, PCTL, and QCTL only for one operator, the detailed complexity analysis available in literature (see, e.g., [26,27,58]) for this kind of logic carries over to FCTL [50]. However, the presence of the fidelity operator ${\mathbb{F}}_{\sim \tau }$ increases the resulting complexity from polynomial to exponential [50] (Theorem 5.12).

5. Model Checking LTL and $\mathbf{\omega }$-Regular Properties

As we mentioned in the introduction, LTL and $\omega$-regular properties are well suited for describing the behavior of a system in the long run, such as its liveness (e.g., the system never crashes), repeated reachability (e.g., the system is ready to accept requests again and again), and fairness (e.g., if the system has to make a choice infinitely often, all options are chosen infinitely often) properties. This kind of properties has been studied extensively for classical Markov chains [27,59,60,61]. In the classical setting, the usual approach to compute the probability $\mathcal{P}\left(\phi \right)$ that a certain LTL property $\phi$ is satisfied in a Markov chain $\mathfrak{M}$ is to adopt an automaton-based approach, as the one introduced by Vardi and Wolper for program verification [62]. This approach works as follows; see, e.g., [26,27] for more details.

5.1. The Model Checking Problem

We start with the model $\mathfrak{M}$ and the property $\phi$ we want to verify. The property is usually given as an LTL formula, that is, a formula expressible according to the following grammar:

$$\phi ::=a\mid \phi \wedge \phi \mid \neg \phi \mid \mathbf{X}\phi \mid \phi \mathbf{U}\phi ,$$

where $a\in \mathit{AP}$ is taken from the given finite set of atomic propositions. In addition, the syntactic sugar shared with CTL, we also consider the Globally/Always temporal operator $\mathbf{G}\phi =\neg \mathbf{F}\neg \phi$, sometimes written as $\square \phi$.

The semantics of LTL is analogous to the one of CTL, in particular for the temporal operators. We call word an infinite sequence of sets of atomic propositions $w\in {\left(2^{\mathit{AP}}\right)}^{\omega }$. We say that w satisfies φ, denoted by $w\vDash \phi$, in the following cases:

$$\begin{array}{cccc}\hfill w\vDash a& \hfill & & \mathrm{if}a\in w\left[0\right];\hfill \\ \hfill w\vDash {\phi }_1\wedge {\phi }_2& \hfill & & \mathrm{if}w\vDash {\phi }_1\mathrm{and}w\vDash {\phi }_2;\hfill \\ \hfill w\vDash \neg \phi & \hfill & & \mathrm{if}\mathrm{it}\mathrm{is}\mathrm{not}\mathrm{the}\mathrm{case}\mathrm{that}w\vDash \phi ;\hfill \\ \hfill w\vDash \mathbf{X}\phi & \hfill & & \mathrm{if}w[1\cdots ]\vDash \phi ;\mathrm{and}\hfill \\ \hfill w\vDash {\phi }_1\mathbf{U}{\phi }_2& \hfill & & \mathrm{if}\exists n\in \mathbb{N}:w[n\cdots ]\vDash {\phi }_2\mathrm{and}\forall 0\le i<n:w[i\cdots ]\vDash {\phi }_1,\hfill \end{array}$$

where $w[i\cdots ]=w\left[i\right]w[i+1]\cdots$. We denote the set of all words satisfying $\phi$ by $\mathit{Words}\left(\phi \right)=\{w\in {\left(2^{\mathit{AP}}\right)}^{\omega }\mid w\vDash \phi \}$.

The model checking problem for LQMCs against an LTL formula $\phi$ is formalized as follows.

Definition 5.

Let $\mathfrak{M}$ be an LQMC, $s\in S$ be a state, and φ be an LTL formula. Given $\sim \in \{\lesssim ,\gtrsim ,\eqsim \}$ and $\mathcal{E}\in {\mathcal{S}}^{\mathcal{I}}\left(\mathcal{H}\right)$, the model checking problem for $\mathfrak{M}$ against φ asks to verify whether $Q_s^{\mathfrak{M}}\left(\{\sigma \in {\mathrm{Path}}^{\mathfrak{M}}\mid L\left(\sigma \right)\in \mathit{Words}\left(\phi \right)\}\right)\sim \mathcal{E}$ holds.

The model checking problem for LQMCs against an $\omega$-regular property $\mathcal{W}\subseteq {\left(2^{\mathit{AP}}\right)}^{\omega }$ is defined analogously.

Definition 6.

Let $\mathfrak{M}$ be an LQMC, $s\in S$ be a state, and $\mathcal{W}\subseteq {\left(2^{\mathit{AP}}\right)}^{\omega }$ be an ω-regular property. Given $\sim \in \{\lesssim ,\gtrsim ,\eqsim \}$ and $\mathcal{E}\in {\mathcal{S}}^{\mathcal{I}}\left(\mathcal{H}\right)$, the model checking problem for $\mathfrak{M}$ against $\mathcal{W}$ asks to verify whether $Q_s^{\mathfrak{M}}\left(\{\sigma \in {\mathrm{Path}}^{\mathfrak{M}}\mid L\left(\sigma \right)\in \mathcal{W}\}\right)\sim \mathcal{E}$ holds.

5.2. The Standard Automata-Based Approach

In the standard automata-based approach [62] to LTL model checking in the context of classical Markov chains, the first step requires to transform the given LTL formula $\phi$ into an equivalent nondeterministic Büchi automaton accepting the same language as $\phi$, i.e., $\mathit{Words}\left(\phi \right)$; such an automaton always exists (cf. [27] (Theorem 5.37)). Since nondeterministic Büchi automata are as expressive as $\omega$-regular languages (cf. [27] (Theorem 4.32)), we can also solve the model checking problem against $\omega$-regular properties, by the same approach.

The nondeterminism present in the Büchi automaton, however, does not play well with the computation of the probability measure. For this motivation, the Büchi automaton needs to be made deterministic; however, deterministic Büchi automata are strictly less expressive than nondeterministic ones (cf. [27] (Theorem 4.50)), so more powerful deterministic automata need to be used. Therefore, the nondeterministic Büchi automaton is transformed into an equivalent deterministic automaton $\mathfrak{A}$ with a more complex acceptance condition, such as Rabin, Streett, Muller, or parity (cf. [63,64,65]). The construction of such deterministic automata usually makes use of a variant of the Safra’s [66] approach, see for instance [67,68], or some of the more recent Safraless constructions, such as the ones proposed in [69,70,71].

Once the deterministic automaton $\mathfrak{A}$ is available, it can be combined with the Markov chain $\mathfrak{M}$ as the product $\mathfrak{M}\otimes \mathfrak{A}$; this product is in practice a Markov chain extended with the information about the paths that are accepted by the automaton $\mathfrak{A}$ (i.e., the paths that satisfy the formula $\phi$); we call such a product a parity Markov chain, when $\mathfrak{A}$ is a parity automaton. As the last step, the probability of the accepting paths is computed. Since all accepting paths need to be infinite, the finite number of states of $\mathfrak{M}\otimes \mathfrak{A}$ implies that such paths need to become trapped into a set of states from which they cannot escape, that is, the states that form a bottom strongly connected component (BSCC). Intuitively, a BSCC is composed by states that can be reached by each other, and all their successors are also in the same BSCC. These BSCCs can be computed by means of algorithms operating on the graph structure of the product Markov chain; the outcome of these algorithms is a classification of the states of $\mathfrak{M}\otimes \mathfrak{A}$ as those belonging to a BSCC and the transient states, i.e., all other states. Since only states in a BSCC can be visited infinitely often with strictly positive probability, the acceptance condition provided by $\mathfrak{A}$ is used to mark each BSCC as either accepting or rejecting. As the last step, the probability that $\phi$ holds in a given state s of the Markov chain $\mathfrak{M}$ is computed by finding the unique solution of a systems of equations: if s belongs to an accepting BSCC, the probability $p_s$ is 1; if s belongs to a rejecting BSCC, the probability $p_s$ is 0; if s is a transient state, then the probability $p_s$ satisfies the Bellman equation $p_s={\sum }_{s^{\prime }\in S}\mathbf{P}(s,s^{\prime })·p_{s^{\prime }}$, where $\mathbf{P}(s,s^{\prime })$ is the probability in $\mathfrak{M}$ to make a transition from s to $s^{\prime }$, i.e., the probabilistic counterpart of $\mathbf{Q}$ in quantum Markov chains.

5.3. The Standard Automata-Based Approach Does Not Work Directly for LQMCs

In the remainder of this section, we present how the approach used to check Markov chains against $\omega$-regular properties can be extended to quantum Markov chains.

The only difference between classical Markov chains and quantum Markov chains is the use of super-operators instead of probability values to decorate the transitions; this difference, however, has a considerable effect on the model checking algorithm, as pointed out in, e.g., [49,72]. Consider the two Markov chains, enriched with a parity acceptance condition, shown in Figure 2. The parity acceptance is provided by the priorities 0 and 1 labelling the classical states $s_0$, $s_1$, and $s_2$. As we will see more formally below, a path is accepted if the minimum priority occurring infinitely often is even. This means, for instance, that the path $s_0{s}_1{s}_2{s}_1{s}_2\cdots$ is accepted, since its corresponding sequence of priorities is $00101\cdots$ whose minimum priority occurring infinitely often is 0; on the other hand, the path $s_2{s}_2\cdots$ is rejecting, since its minimum priority occurring infinitely is 1.

The Markov chain on the left of Figure 2 is a classical one where transitions are governed by the two transition probabilities p and $1-p$ with $0<p<1$. The Markov chain on the right is a quantum one governed by the two super-operators ${\mathcal{E}}_0$ and ${\mathcal{E}}_1$, such that ${\mathcal{E}}_0,{\mathcal{E}}_1\ne 0_{\mathcal{H}}$ and ${\mathcal{E}}_0+{\mathcal{E}}_1\eqsim {\mathcal{I}}_{\mathcal{H}}$. It is obvious that both Markov chains have the same classical state space, thus they have exactly the same underlying graph. If we would define the BSCCs just by looking at the underlying graph, they would have the same set of BSCCs, namely just the single BSCC $\{s_1,s_2\}$, and the same single transient state $s_0$. However, we will see that this BSCC technique does not help in the evaluation of parity QMCs.

In the classical Markov chains model, $s_0$ is a transient state that will eventually reach almost surely the unique BSCC $\{s_1,s_2\}$. Thus, its priority makes no difference. Since the probability that both states in the BSCC are visited infinitely often is 1, we have that the BSCC $\{s_1,s_2\}$ is marked as accepting, since the minimum priority of its states is 0. Since the BSCC $\{s_1,s_2\}$ is accepting and all paths from $s_1$ eventually enter $\{s_1,s_2\}$ almost surely, we find that the overall probability of the paths eventually becoming trapped in an accepting BSCC is 1 for all states.

Consider now the quantum Markov chain on the right part of Figure 2 and assume that ${\mathcal{E}}_0=\left\{|0\rangle \langle 0|\right\}$ and ${\mathcal{E}}_1=\left\{|1\rangle \langle 1|\right\}$. Note that for $i\in \{0,1\}$ it holds ${\mathcal{E}}_i{\mathcal{E}}_i={\mathcal{E}}_i$ and ${\mathcal{E}}_i{\mathcal{E}}_{1-i}=0_{\mathcal{H}}$. It is easy to check that if we start from $s_0$, the infinite path $s_0{s}_0\cdots$, with the corresponding nonzero super-operator ${lim}_{n\to \infty }{\mathcal{E}}_1^n=\left\{|1\rangle \langle 1|\right\}$, never leaves $s_0$ to reach the other states $s_1$ and $s_2$. This means that $s_0$ cannot be considered a BSCC, since $s_0$ cannot reach itself almost surely, i.e., with super-operator ${\mathcal{I}}_{\mathcal{H}}$. At the same time, $s_0$ cannot be considered a transient state, since it will not eventually reach a BSCC almost surely. Therefore, the first problem we encounter is that a state in a QMC cannot be classified either as transient or as belonging to a BSCC, as happens for classical Markov chains. In addition to this problem with the classification of $s_0$, we also have a second problem, namely, that the infinite path ${\left(s_0\right)}^{\omega }$ has minimum priority 0, so it must be taken into account when computing the super-operator corresponding to the accepting paths. This means that it does not suffice to look only at the states as performed for classical parity Markov chains, but we need to consider all possible paths.

Consider now the state $s_1$: we have only two infinite paths occurring with nonzero super-operator, namely ${\left(s_1\right)}^{\omega }$ with associated super-operator $\left\{|1\rangle \langle 1|\right\}$ and priority 0, and ${\left(s_1{s}_2\right)}^{\omega }$ with associated super-operator $\left\{|0\rangle \langle 0|\right\}$ and priority 0. Thus, the super-operator corresponding to the accepting paths in state $s_1$ is $\left\{|0\rangle \langle 0|\right\}+\left\{|1\rangle \langle 1|\right\}\eqsim {\mathcal{I}}_{\mathcal{H}}$. The situation for $s_2$ is however different: we still have only two paths, namely ${\left(s_2{s}_1\right)}^{\omega }$ with associated super-operator $\left\{|0\rangle \langle 0|\right\}$ and priority 0, and ${\left(s_2\right)}^{\omega }$ having super-operator $\left\{|1\rangle \langle 1|\right\}$ and priority 1. Thus, the value in $s_2$ is $\left\{|0\rangle \langle 0|\right\}$, that is different from ${\mathcal{I}}_{\mathcal{H}}$ in $s_1$. Therefore, we have a third problem, namely, we cannot associate the same value to all states in a BSCC, as we can do for classical Markov chains, but each state must be evaluated individually.

Let us reason more about what happens along the path $s_2{s}_2{s}_1{s}_1{s}_1\cdots$: its corresponding super-operator is $0_{\mathcal{H}}$, as effect of the composition of the two orthogonal super-operators ${\mathcal{E}}_1=\left\{|1\rangle \langle 1|\right\}$ and ${\mathcal{E}}_0=\left\{|0\rangle \langle 0|\right\}$ in the first two transitions $s_2\stackrel{{\mathcal{E}}_1}{⟶}{s}_2$ and $s_2\stackrel{{\mathcal{E}}_0}{⟶}{s}_1$, respectively. In practice, it is as the first transition from $s_2$ to $s_2$, decorated with ${\mathcal{E}}_1$, “disables” the second transition from $s_2$ to $s_1$, decorated with ${\mathcal{E}}_0$. In other words, it is like we are missing the Markovian property that allows us to forget about the past, namely that the transitions we can perform depend only on the current state, not on how we reached it. Therefore, we cannot assume that the underlying graph is immutable, since the previous transitions we performed to reach the current state might change the available edges in the underlying graph. This means that we cannot just use the standard BSCC decomposition algorithms on the underlying graph to solve the LTL and $\omega$-regular model checking problem for LQMCs: neither are BSCCs reached with certainty, nor do all states of a BSCC have the same value. In addition, the value of a state in a BSCC can be different from both $0_{\mathcal{H}}$ and ${\mathcal{I}}_{\mathcal{H}}$.

In order to overcome these problems, in [49] we proposed an alternative approach: instead of relying on the graph structure of the product $\mathfrak{M}\otimes \mathfrak{A}$, we transformed it into a single super-operator and we considered the BSCC decomposition of the classical-quantum Hilbert space induced by this super-operator, i.e., the tensor product of the classical state space with the quantum one. By operating on this larger Hilbert space, we have the information we need to solve the model checking problem for $\omega$-regular properties for labelled quantum Markov chains.

5.4. Parity Automata and Parity Quantum Markov Chains

We shortly recall a well-known mechanism to decide whether a word is included in a given $\omega$-regular language. Recall that $\mathcal{W}$ is called $\omega$-regular if it is the language of some nondeterministic Büchi automaton (cf. [27] (Theorem 4.32)) and that nondeterministic Büchi automata are equivalent to parity automata (cf. [63,64,65]). A parity automaton is defined formally as follows.

Definition 7.

A (deterministic) parity automaton (PA) is a tuple $\mathfrak{A}=(A,\overline{a},\mathit{AP},t,\mathsf{pri})$, where

• A is a finite set of automaton states;
• $\overline{a}\in A$ is the initial state;
• $\mathit{AP}$ is a finite set of atomic propositions;
• $t:A\times 2^{\mathit{AP}}\to A$ is a transition function; and
• $\mathsf{pri}:A\to \mathbb{N}$ is a priority function.

A path of $\mathfrak{A}$ is an infinite sequence $\sigma =a_0{L}_0{a}_1{L}_1\cdots \in {(A\times 2^{\mathit{AP}})}^{\omega }$, such that $a_0=\overline{a}$ and for all $i\ge 0$, $a_{i+1}=t(a_i,L_i)$. We extend the priority function to paths by setting $\mathsf{pri}\left(\sigma \right)={lim\; inf}_{i\to \infty }\mathsf{pri}\left(a_i\right)$. We use ${\mathrm{Path}}^{\mathfrak{A}}$ to denote the set of all paths of $\mathfrak{A}$. The language of $\mathfrak{A}$ is defined as

$$\mathcal{L}\left(\mathfrak{A}\right)=\{L_0{L}_1\cdots \in {\left(2^{\mathit{AP}}\right)}^{\omega }\mid \exists \sigma =a_0{L}_0{a}_1{L}_1\cdots \in {\mathrm{Path}}^{\mathfrak{A}}:\mathsf{pri}\left(\sigma \right)\mathrm{is}\mathrm{even}\}.$$

As we have enriched QMCs with labels, obtaining LQMCs (cf. Definition 2), we also decorate QMCs with parity conditions, so to obtain parity QMCs; these will be useful to represent the result of the product of an LQMC and a PA, that we will present later.

Definition 8.

A parity quantum Markov chain (PQMC) is a tuple $\mathfrak{M}=(S,\mathbf{Q},\mathsf{pri})$, where $(S,\mathbf{Q})$ is a QMC and $\mathsf{pri}:S\to \mathbb{N}$ is a priority function.

As we have done for LQMCs, we extend in the natural way the notion of paths, measures, etc. to PQMCs and we set $\mathsf{pri}(s_0{s}_1{s}_2\cdots )={lim\; inf}_{i\to \infty }\mathsf{pri}\left(s_i\right)$. We define the value of a PQMC $\mathfrak{M}$ in $s\in S$ as

$${\mathrm{val}}_s^{\mathfrak{M}}=Q_s^{\mathfrak{M}}\left(\{\sigma \in {\mathrm{Path}}^{\mathfrak{M}}\mid \mathsf{pri}\left(\sigma \right)\mathrm{is}\mathrm{even}\}\right).$$

Parity QMCs can be obtained by combining together an LQMC and a PA; in practice, the PA just follows the evolution of the LQMC by synchronizing on the labels of the classical states that are visited by the LQMC.

Definition 9.

The product of an LQMC $\mathfrak{M}=(S,\mathbf{Q},\mathit{AP},L)$ and a PA $\mathfrak{A}=(A,\overline{a},\mathit{AP},t,\mathsf{pri})$ with the same set of atomic propositions $\mathit{AP}$ is the PQMC $\mathfrak{M}\otimes \mathfrak{A}=(S^{\prime },{\mathbf{Q}}^{\prime },{\mathsf{pri}}^{\prime })$ where

• $S^{\prime }=S\times A$;
• ${\mathbf{Q}}^{\prime }((s,a),(s^{\prime },a^{\prime }))=\mathbf{Q}(s,s^{\prime })$ if $a^{\prime }=t(a,L\left(s\right))$, and ${\mathbf{Q}}^{\prime }((s,a),(s^{\prime },a^{\prime }))=0_{\mathcal{H}}$ otherwise; and
• ${\mathsf{pri}}^{\prime }\left((s,a)\right)=\mathsf{pri}\left(a\right)$.

An important property that is used in the model checking problem of an LQMC $\mathfrak{M}=(S,\mathbf{Q},\mathit{AP},L)$ against an $\omega$-regular property $\mathcal{W}$ recognized by $\mathfrak{A}=(A,\overline{a},\mathit{AP},t,\mathsf{pri})$ is that the value of $\mathfrak{M}\otimes \mathfrak{A}=(S^{\prime },{\mathbf{Q}}^{\prime },{\mathsf{pri}}^{\prime })$ is trace equivalent to the super-operator corresponding to $\mathcal{W}$ in $\mathfrak{M}$. Formally, by [49] (Lemma 9) we have that for any $s\in S$,

$$Q_s^{\mathfrak{M}}\left(\mathcal{L}\left(\mathfrak{A}\right)\right)\eqsim {\mathrm{val}}_{(s,\overline{a})}^{\mathfrak{M}\otimes \mathfrak{A}}.$$

This property is the expected quantum counterpart of the product Markov chain used for solving the model checking problem of classical Markov chains against LTL and $\omega$-regular properties (cf. [27]). This equivalence ensures that the super-operator we obtain in the product PQMC is equivalent to the one corresponding to the paths of the LQMC satisfying the given $\omega$-regular property, and this is needed to justify the correctness of the automata-based approach to model checking.

Example 3.

As an example of the parity construction, consider again the QMC shown in Figure 1 and the LTL formula $(\neg {\ell }_2)\mathbf{U}{\ell }_3$.

On the left part of Figure 3 we present the parity automaton $\mathfrak{A}$ corresponding to the formula $(\neg {\ell }_2)\mathbf{U}{\ell }_3$. The automaton has 3 states, namely $\overline{a}$, ⊥, and ⊤; the value assigned by the priority function $\mathsf{pri}$ to each state is given as the number near the state: this means that all states have priority 1 except for $\mathsf{pri}(\top )=0$. The transition relation is given by the depicted arrows, where we encode the sets of atomic propositions by a Boolean formula: for instance, the formula ${\ell }_3$ is satisfied by all subsets A of $\mathit{AP}=\{{\ell }_0,{\ell }_1,{\ell }_2,{\ell }_3\}$, such that ${\ell }_3\in A$; similarly, the formula ${\ell }_2\wedge \neg {\ell }_3$ is satisfied by all subsets A of $\mathit{AP}$, such that ${\ell }_2\in A$ but ${\ell }_3\notin A$.

5.5. Computing PQMC Values

As we have seen in Section 5.3, it is not enough to compute the BSCCs by looking only at the classical states of the product PQMC. The solution adopted by [49] is to encode the behavior of $\mathfrak{M}$ into a single super-operator acting on the extended Hilbert space ${\mathcal{H}}_c\otimes \mathcal{H}$ representing both the classical states and the super-operators decorating the transitions. This is obtained by taking the tensor product of the classical state space and the quantum one; then the notion of BSCC subspaces for super-operators, as defined in [73], is used in the computation of the PQMC values. The intuition underlying this extended construction is to keep track of the classical states reached step by step in the ${\mathcal{H}}_c$ part of ${\mathcal{H}}_c\otimes \mathcal{H}$, and to accumulate the effects of the super-operators decorating the taken transitions on the $\mathcal{H}$ part of ${\mathcal{H}}_c\otimes \mathcal{H}$. This allows us to overcome the problem of the BSCC decomposition of the underlying graph of the given PQMC: as we have seen in Section 5.3, by performing a transition we might change the underlying graph, since some transition might be disabled as effect of the composition of super-operators; this does not happen in the classical and probabilistic setting, where the underlying graph is immutable.

Let $\mathcal{E}$ be a super-operator acting on $\mathcal{H}$; given a subspace X of $\mathcal{H}$, we call X:

• invariant for $\mathcal{E}$ if $\mathcal{E}\left(X\right)\subseteq X$;
• a BSCC of $\mathcal{E}$ if $\mathcal{R}\left(|\psi \rangle \langle \psi |\right)=X$ holds for each pure state $|\psi \rangle \in X$, where $\mathcal{R}\left(\rho \right)={\bigvee }_{i=0}^{\infty }\mathrm{supp}\left({\mathcal{E}}^i\left(\rho \right)\right)$ is the reachable subspace of $\mathcal{E}$ starting in $\rho \in {\mathcal{D}}^{}\left(\mathcal{H}\right)$;
• transient if ${lim}_{k\to \infty }\mathrm{tr}\left(P_X{\mathcal{E}}^k\left(\rho \right)\right)=0$ for each $\rho \in {\mathcal{D}}^{}\left(\mathcal{H}\right)$, where $P_X$ is the projection onto X.

Intuitively, we have that the probability of remaining forever in a transient subspace X tends to 0, as happens for the transient states in a classical Markov chain. Similarly, it is not possible to leave a BSCC X, and eventually all elements of X are visited again and again, as happens for states in the BSCCs of a classical Markov chain.

We are now ready to present how to combine together the classical part and the quantum part of a PQMC. Let $\mathfrak{M}=(S,\mathbf{Q},\mathsf{pri})$ be a PQMC on $\mathcal{H}$; for each $s,t\in S$, let ${\mathcal{E}}^{s,t}=\{E_j^{s,t}\mid j\in J^{s,t}\}$ be the set of Kraus operators with $J^{s,t}$ as set of indexes for the super-operator ${\mathcal{E}}^{s,t}=\mathbf{Q}(s,t)$. Following [72], let ${\mathcal{E}}_{\mathfrak{M}}=\{|t\rangle \langle s|\otimes E_j^{s,t}\mid s,t\in S,j\in J^{s,t}\}$ be the super-operator acting on the extended Hilbert space ${\mathcal{H}}_c\otimes \mathcal{H}$, where ${\mathcal{H}}_c$ is the $\left|S\right|$-dimensional Hilbert space with orthonormal basis $\{|s\rangle \mid s\in S\}$.

For each $s\in S$, let $O^s=\{(t,j)\mid t\in S,j\in J^{s,t}\}$ and $M^s=\{E_j^{s,t}\mid (t,j)\in O^s\}$. To see how ${\mathcal{E}}_{\mathfrak{M}}$ encodes the behavior of $\mathfrak{M}$, consider the following steps, which exactly capture the intended meaning of $\mathfrak{M}$.

1.

A projective measurement $M=\{|s\rangle \langle s|\mid s\in S\}$ is performed on the classical system ${\mathcal{H}}_c$ to determine the current classical state.

2.

If the measurement outcome of M is s, then the quantum measurement $M^s$ is performed on the quantum system $\mathcal{H}$.

3.

If the observed outcome of $M^s$ is $(t,i)$, then the classical state is set to be $|t\rangle \langle t|$.

The super-operator ${\mathcal{E}}_{\mathfrak{M}}$ enjoys a couple of nice properties: starting from a product initial state, the classical and quantum systems remain separable (disentangled) along the whole execution (cf. [49] (Lemma 11)); moreover, each fixed point state $\sigma$ of ${\mathcal{E}}_{\mathfrak{M}}$, i.e., ${\mathcal{E}}_{\mathfrak{M}}\left(\sigma \right)=\sigma$, has the form $\sigma ={\sum }_{s\in S}|s\rangle \langle s|\otimes {\sigma }_s$. According to [73], we find that any BSCC of ${\mathcal{E}}_{\mathfrak{M}}$ can be spanned by pure states of the form $|s\rangle |\eta \rangle$ where $s\in S$ and $|\eta \rangle \in \mathcal{H}$.

We are now ready to collect all BSCCs of ${\mathcal{E}}_{\mathfrak{M}}$ and classify them according to their acceptance condition. Given a BSCC B of ${\mathcal{E}}_{\mathfrak{M}}$, let

$$C\left(B\right)=\{s\in S\mid |s\rangle |\eta \rangle \in B\mathrm{for}\mathrm{some}|\eta \rangle \in \mathcal{H}\}$$

be the set of classical states supported in B. Note that it is possible to have $C\left(B\right)\cap C\left(B^{\prime }\right)\ne \varnothing$ for two different BSCCs B and $B^{\prime }$; this happens when there are two states $|s\rangle |\eta \rangle \in B$ and $|s^{\prime }\rangle |{\eta }^{\prime }\rangle \in B^{\prime }$ with $s=s^{\prime }$. However, this is not a real problem: as shown by [49] (Lemma 12), two BSCCs are orthogonal as long as they differ on at least one classical state.

Given the set of all BSCCs of ${\mathcal{E}}_{\mathfrak{M}}$, we can organize it with respect to the minimal priority assigned to the classical states in each BSCC. For a priority $k\in \mathbb{N}$, let ${\mathcal{BSCC}}_{=k}$ be the span of all BSCCs of ${\mathcal{E}}_{\mathfrak{M}}$ whose minimal priority is k, that is,

$${\mathcal{BSCC}}_{=k}=\bigvee \{B\mathrm{is}\mathrm{a}\mathrm{BSCC}\mathrm{of}{\mathcal{E}}_{\mathfrak{M}}\mid min\{\mathsf{pri}\left(s\right)\mid s\in C\left(B\right)\}=k\}.$$

Similarly, let ${\mathcal{BSCC}}_{<k}$ and ${\mathcal{BSCC}}_{>k}$ be the spans of all BSCCs with the minimal priority being less than and larger than k, respectively. Since ${\mathcal{BSCC}}_{=k}$, ${\mathcal{BSCC}}_{<k}$, and ${\mathcal{BSCC}}_{>k}$ have different sets of classical states, they are pairwise orthogonal by [49] (Lemma 12). This implies, by [73], that ${\mathcal{H}}_c\otimes \mathcal{H}$ can be decomposed uniquely into

$${\mathcal{H}}_c\otimes \mathcal{H}=T\oplus {\mathcal{BSCC}}_{=k}\oplus {\mathcal{BSCC}}_{<k}\oplus {\mathcal{BSCC}}_{>k},$$

where T is the maximum transient subspace of ${\mathcal{E}}_{\mathfrak{M}}$.

An important result (cf. [49] (Lemma 13)) is that the BSCCs in ${\mathcal{BSCC}}_{=k}$, ${\mathcal{BSCC}}_{<k}$, and ${\mathcal{BSCC}}_{>k}$ do not interfere with each other: let $\mathrm{tr}\left(R_t^k\left(\rho \right)\right)$ denote the probability that k is the lowest priority occurring infinitely often from the initial state $|t\rangle \langle t|\otimes \rho$. Then, we have that:

• if $\mathrm{supp}(|t\rangle \langle t|\otimes \rho )\subseteq {\mathcal{BSCC}}_{=k}$, then $\mathrm{tr}\left(R_t^k\left(\rho \right)\right)=\mathrm{tr}\left(\rho \right)$;
• if $\mathrm{supp}(|t\rangle \langle t|\otimes \rho )\subseteq {\mathcal{BSCC}}_{<k}$, then $\mathrm{tr}\left(R_t^k\left(\rho \right)\right)=0$; and
• if $\mathrm{supp}(|t\rangle \langle t|\otimes \rho )\subseteq {\mathcal{BSCC}}_{>k}$, then $\mathrm{tr}\left(R_t^k\left(\rho \right)\right)=0$,

that is, once we enter ${\mathcal{BSCC}}_{=k}$ with probability $\mathrm{tr}\left(\rho \right)$, we will see k as the minimum priority almost surely; instead, if we enter ${\mathcal{BSCC}}_{<k}$ or ${\mathcal{BSCC}}_{>k}$, we will see k as minimum priority with probability 0. In practice, ${\mathcal{BSCC}}_{=k}$ acts like the standard BSCC with minimum priority k in classical Markov chains.

It now remains to collect all ${\mathcal{BSCC}}_{=k}$ with even priority k to obtain the accepting BSCCs, and combine together their super-operators. This is formalized as follows.

Theorem 1

([49] (Corollary 15)). Let $\mathfrak{M}=(S,\mathbf{Q},\mathsf{pri})$ be a PQMC. Then, for any $s\in S$,

$${\mathrm{val}}_s^{\mathfrak{M}}\eqsim {\mathrm{tr}}_c\circ {\mathcal{P}}_{\mathit{even}}\circ {\mathcal{E}}_{\mathfrak{M}}^{\infty }\circ {\mathcal{E}}_s$$

where ${\mathrm{tr}}_c$ is the partial trace super-operator, such that ${\mathrm{tr}}_c(|s\rangle \langle t|\otimes \rho )=\langle t\rangle s·\rho$, ${\mathcal{P}}_{\mathit{even}}={\sum }_{\{k\in \mathsf{pri}(S)\mid k\mathrm{is}\mathrm{even}\}}{\mathcal{P}}_{=k}$ where ${\mathcal{P}}_{=k}=\left\{P_{=k}\right\}$ is the projection super-operator onto ${\mathcal{BSCC}}_{=k}$, ${\mathcal{E}}_{\mathfrak{M}}^{\infty }={lim}_{N\to \infty }\frac{1}{N}{\sum }_{n=1}^N{\mathcal{E}}_{\mathfrak{M}}^n$, and ${\mathcal{E}}_s\left(\rho \right)=|s\rangle \langle s|\otimes \rho$.

Similarly to the QCTL case (cf. Section 3), the value ${\mathrm{val}}_s^{\mathfrak{M}}$ is not computed exactly, but only a trace equivalent super-operator is obtained. This is in line with the statement of [44] (Theorem 3.2), saying that the super-operator valued measure for a QMC (hence, for a PQMC) is well-defined only up to the trace equivalence ≂, already at the level of the measure for the measurable space $({\mathrm{Path}}^{\mathfrak{M}},\mathsf{\Sigma })$. This means that we are not able to compute the exact super-operator corresponding to a measurable set of paths, but only a super-operator in the same ≂-equivalence class. This suffices for our purposes, since LTL and $\omega$-regular model checking for LQMCs (as well as the QCTL model checking) only look for the probability of satisfying the given property, which is preserved by ≂.

As an application of the above construction, consider the right part of Figure 3, where we show the product of the QMC shown in Figure 1 and the PA $\mathfrak{A}$ encoding the formula $(\neg {\ell }_2)\mathbf{U}{\ell }_3$. It is easy to observe that, for this specific case, we have only one accepting BSCC, composed only by the state $({\ell }_3,\top )$, and that the super-operator corresponding to the paths leading to it is ${\mathcal{E}}_0\mathcal{A}$, the same as we computed in Example 1, as expected.

As another application of the above construction, consider again the PQMC depicted on the right of Figure 2 where the super-operators decorating the transitions are ${\mathcal{E}}_0=\left\{|0\rangle \langle 0|\right\}$ and ${\mathcal{E}}_1=\left\{|1\rangle \langle 1|\right\}$. Then, the super-operator ${\mathcal{E}}_{\mathfrak{M}}$ encoding $\mathfrak{M}$ is

$$\begin{array}{cc}\hfill {\mathcal{E}}_{\mathfrak{M}}& =\phantom{+}\left\{|s_1\rangle \langle s_0|\right\}\otimes {\mathcal{E}}_0+\left\{|s_0\rangle \langle s_0|\right\}\otimes {\mathcal{E}}_1\hfill \\ \hfill & \phantom{=}+\left\{|s_2\rangle \langle s_1|\right\}\otimes {\mathcal{E}}_0+\left\{|s_1\rangle \langle s_1|\right\}\otimes {\mathcal{E}}_1\hfill \\ \hfill & \phantom{=}+\left\{|s_1\rangle \langle s_2|\right\}\otimes {\mathcal{E}}_0+\left\{|s_2\rangle \langle s_2|\right\}\otimes {\mathcal{E}}_1.\hfill \end{array}$$

In practice, for each pair of states s and t for which $\mathbf{Q}(s,t)\neg \eqsim 0_{\mathcal{H}}$, we add $\left\{|t\rangle \langle s|\right\}\otimes \mathbf{Q}(s,t)$, which can be intuitively interpreted as: we transition from s to t while performing $\mathbf{Q}(s,t)$. We can now decompose ${\mathcal{E}}_{\mathfrak{M}}$ into the BSCCs and the maximal transient space, obtaining that the maximal transient space of ${\mathcal{E}}_{\mathfrak{M}}$ is $T=\mathrm{span}\left\{|s_0\rangle |0\rangle \right\}$ and that the BSCCs are

$$\begin{array}{cccc}\hfill B_1& =\mathrm{span}\left\{|s_0\rangle |1\rangle \right\},\hfill & \hfill B_2& =\mathrm{span}\left\{|s_1\rangle |1\rangle \right\},\hfill \\ \hfill B_3& =\mathrm{span}\{|s_1\rangle |0\rangle ,|s_2\rangle |0\rangle \},\hfill & \hfill B_4& =\mathrm{span}\left\{|s_2\rangle |1\rangle \right\}.\hfill \end{array}$$

Since the priorities range over $\{0,1\}$, we obtain only ${\mathcal{BSCC}}_{=0}=\bigvee \{B_1,B_2,B_3\}$ with even minimum priority, with corresponding projection super-operator (in Kraus notation)

$${\mathcal{P}}_{=0}=\{|s_0\rangle \langle s_0|\otimes |1\rangle \langle 1|+|s_1\rangle \langle s_1|\otimes I+|s_2\rangle \langle s_2|\otimes |0\rangle \langle 0|\},$$

which is also the projection super-operator ${\mathcal{P}}_{\mathit{even}}$ occurring in Theorem 1.

Regarding the super-operator ${\mathcal{E}}_{\mathfrak{M}}^{\infty }$, we first compute its components. For any $n\ge 1$, we have ${\mathcal{E}}_{\mathfrak{M}}^{2n-1}\eqsim {\mathcal{F}}_0\otimes {\mathcal{E}}_0+\mathcal{F}\otimes {\mathcal{E}}_1$ and ${\mathcal{E}}_{\mathfrak{M}}^{2n}\eqsim {\mathcal{F}}_1\otimes {\mathcal{E}}_0+\mathcal{F}\otimes {\mathcal{E}}_1$, where

$$\begin{array}{cc}\hfill {\mathcal{F}}_0& =\{|s_1\rangle \langle s_0|,|s_2\rangle \langle s_1|,|s_1\rangle \langle s_2|\}\hfill \\ \hfill {\mathcal{F}}_1& =\{|s_2\rangle \langle s_0|,|s_1\rangle \langle s_1|,|s_2\rangle \langle s_2|\}\hfill \\ \hfill \mathcal{F}& =\{|s_0\rangle \langle s_0|,|s_1\rangle \langle s_1|,|s_2\rangle \langle s_2|\}.\hfill \end{array}$$

Thus, ${\mathcal{E}}_{\mathfrak{M}}^{\infty }\eqsim \frac{{\mathcal{F}}_0+{\mathcal{F}}_1}{2}\otimes {\mathcal{E}}_0+\mathcal{F}\otimes {\mathcal{E}}_1,$ and

$${\mathcal{P}}_0\circ {\mathcal{E}}_{\mathfrak{M}}^{\infty }\eqsim \frac{{\mathcal{F}}_0+{\mathcal{F}}_1}{2}\otimes {\mathcal{E}}_0+({\mathcal{P}}_{s_0}+{\mathcal{P}}_{s_1})\otimes {\mathcal{E}}_1.$$

Lastly, we have ${\mathcal{E}}_s=\{|s\rangle \otimes I_{\mathcal{H}}\}$ and ${\mathrm{tr}}_c=\{\langle s_i|\otimes I_{\mathcal{H}}\mid i=0,1,2\}$. By Theorem 1, it follows that

$${\mathrm{val}}_s^{\mathfrak{M}}\eqsim {\mathrm{tr}}_c\circ {\mathcal{P}}_0\circ {\mathcal{E}}_{\mathfrak{M}}^{\infty }\circ {\mathcal{E}}_s=\left\{\begin{array}{cc}{\mathcal{E}}_0+{\mathcal{E}}_1\eqsim {\mathcal{I}}_{\mathcal{H}}\hfill & \mathrm{if}s=s_0\mathrm{or}s=s_1;\hfill \\ {\mathcal{E}}_0\hfill & \mathrm{if}s=s_2.\hfill \end{array}\right.$$

These values coincide with the informal discussion we have given in Section 5.3.

5.6. Complexity of the LTL and $\omega$-Regular Model Checking Problem

A detailed algorithm providing the necessary computational steps implementing the construction given above can be found in [49]. Its complexity for computing the matrix representation of ${\mathrm{tr}}_c\circ {\mathcal{P}}_{\mathit{even}}\circ {\mathcal{E}}_{\mathfrak{M}}^{\infty }\circ {\mathcal{E}}_s$ is polynomial in the size of the given PQMC and in the dimension of its Hilbert space.

If we want to express the size of the product PQMC $\mathfrak{M}\otimes {\mathfrak{A}}_{\phi }$ in terms of the original LQMC $\mathfrak{M}$ and of the LTL formula $\phi$, then $\mathfrak{M}\otimes {\mathfrak{A}}_{\phi }$ is linear in the size of $\mathfrak{M}$ and double exponential in the size of $\phi$. The double exponential blowup is common in model checking LTL properties: the first exponential blowup occurs in the translation from $\phi$ to an equivalent nondeterministic Büchi automaton; the second blowup is caused by its determinization as a Rabin, a Streett, a Muller, or a parity automaton. These blowups cannot be avoided (cf. [26,27,63]).

6. Conclusions

In this paper we have presented three logics and relative model checking algorithms for quantum Markov chains given in literature: quantum CTL, quantum LTL and $\omega$-regular properties, and fidelity CTL. The former two kinds of properties focus on evaluating the probability of certain events; the latter, instead, looks for how well the super-operator modelled by the LQMC preserves the quantum states it is applied on.

The algorithms for the quantum counterparts of CTL and LTL follow the steps of the algorithms already developed for these logics in the setting of classical and probabilistic model checking. The quantum nature of the system to be checked, however, prevents the naïve adaptation of these algorithms, in particular for LTL and $\omega$-regular properties: the usual BSCC decomposition of the underlying graph fails, so a similar decomposition needs to be performed in an extended Hilbert space representing both the classical and the quantum states of the product PQMC. The algorithm for the computation of the states satisfying the fidelity operator, instead, is newly designed, since fidelity is a concept strictly related to quantum systems that has no counterparts in classical and probabilistic systems.