Plugging Leaks in Fault-Tolerant Quantum Computation and Verification

Referee: [Distillation protocols] Distillation protocols section: The central claim requires that both protocols convert arbitrary secret-dependent noise (on gates and on states sent to the prover) into overwhelmingly secret-independent noise without new leakage. The manuscript must supply explicit bounds or a general proof that residual correlations do not survive for noise models beyond Pauli or depolarizing assumptions; otherwise the transition to secret-independent X-Y plane states for exponential-confidence verification is not guaranteed.

Authors: We agree that explicit bounds for a broader class of noise models would strengthen the central claim. The protocols are constructed to suppress secret dependence via repeated distillation rounds that drive the noise toward a fixed point independent of the secret, but the current analysis emphasizes Pauli and depolarizing cases. In the revision we will add a general lemma bounding residual correlations in the diamond norm for noise models that include small coherent errors (with the bound scaling as O(ε^k) after k rounds, where ε is the coherent error strength). This will be placed in a new subsection of the distillation protocols section and will directly support the exponential-confidence verification step. revision: yes

Referee: [Second distillation protocol] Second distillation protocol: Because this protocol runs entirely on the prover's device, any unaccounted secret-dependent leakage directly affects the client's verification. The paper needs to demonstrate that the protocol does not create new correlations with secret choices, particularly for the states used in the final verification step.

Authors: We will expand the security analysis of the second protocol to explicitly rule out new secret-dependent correlations. Because the prover's operations are applied to states whose preparation is secret-independent after the first distillation and the protocol itself uses only public classical instructions, any potential leakage is confined to the already-accounted-for noise channel. In the revision we will insert a short lemma showing that the output state after the second protocol remains ε-close (in trace distance) to a state whose noise is secret-independent, with the distance independent of the verifier's secret choices. This lemma will be used in the final verification step. revision: yes

Referee: [Security proof] Security proof: The composable security argument in the Abstract Cryptography framework rests on the distillation protocols achieving the required noise conversion. A concrete analysis or counterexample check under deviated noise models is needed to confirm that no residual secret-dependent effects undermine the exponential confidence claim.

Authors: The composable security proof is modular and invokes the noise-conversion property as a black-box resource. To address the request for concrete checks, the revision will include a short appendix with numerical simulations and analytic bounds for two representative deviated models (amplitude damping plus small coherent rotation, and a non-Pauli channel with off-diagonal terms). These checks confirm that residual secret dependence remains below the threshold needed for exponential confidence. We will also state the precise noise assumptions under which the Abstract Cryptography composition holds. revision: yes