Recently, quantum computing experiments have for the first time exceeded the capability of classical computers to perform certain computations -- a milestone termed "quantum computational advantage." However, verifying the output of the quantum device in these experiments required extremely large classical computations. An exciting next step for demonstrating quantum capability would be to implement tests of quantum computational advantage with efficient classical verification, such that larger system sizes can be tested and verified. One of the first proposals for an efficiently-verifiable test of quantumness consists of hiding a secret classical bitstring inside a circuit of the class IQP, in such a way that samples from the circuit's output distribution are correlated with the secret (arXiv:0809.0847). The classical hardness of this protocol has been supported by evidence that directly simulating IQP circuits is hard, but the security of the protocol against other (non-simulating) classical attacks has remained an open question. In this work we demonstrate that the protocol is not secure against classical forgery. We describe a classical algorithm that can not only convince the verifier that the (classical) prover is quantum, but can in fact can extract the secret key underlying a given protocol instance. Furthermore, we show that the key extraction algorithm is efficient in practice for problem sizes of hundreds of qubits. Finally, we provide an implementation of the algorithm, and give the secret vector underlying the "$25 challenge" posted online by the authors of the original paper.

翻译：近期，量子计算实验首次在特定计算任务上超越了经典计算机的能力——这一里程碑被称为“量子计算优势”。然而，验证这些实验中量子设备的输出需要极其庞大的经典计算量。展示量子能力的下一步令人振奋的方向是，实现具有高效经典验证的量子计算优势测试，从而能够测试和验证更大规模的系统。首个高效可验证的量子性测试方案之一，是在IQP类电路中隐藏一个秘密经典比特串，使得电路输出分布的样本与该秘密相关（arXiv:0809.0847）。该协议的经典困难性已有证据支持：直接模拟IQP电路是困难的，但协议抵御其他（非模拟型）经典攻击的安全性仍是悬而未决的问题。本工作中，我们证明该协议无法抵御经典伪造。我们描述了一种经典算法，该算法不仅能说服验证者（经典）证明者具备量子能力，甚至能从给定协议实例中提取出底层密钥。此外，我们证明该密钥提取算法在数百量子比特问题规模下实际高效。最后，我们提供了算法的实现，并给出了原始论文作者在线发布的“$25挑战”背后的秘密向量。