An Algebraic Language for Specifying Quantum Networks

Quantum networks connect quantum capable nodes in order to achieve capabilities that are impossible only using classical information. Their fundamental unit of communication is the Bell pair, which consists of two entangled quantum bits. Unfortunately, Bell pairs are fragile and difficult to transmit directly, necessitating a network of repeaters, along with software and hardware that can ensure the desired results. Challenging intrinsic features of quantum networks, such as dealing with resource competition, motivate formal reasoning about quantum network protocols. To this end, we developed BellKAT, a novel specification language for quantum networks based upon Kleene algebra. To cater to the specific needs of quantum networks, we designed an algebraic structure, called BellSKA, which we use as the basis of BellKAT's denotational semantics. BellKAT's constructs describe entanglement distribution rules that allow for modular specification. We give BellKAT a sound and complete equational theory, allowing us to verify network protocols. We provide a prototype tool to showcase the expressiveness of BellKAT and how to optimize and verify networks in practice.


INTRODUCTION
Quantum networks are distributed systems providing communication services to distributed quantum applications.They bring numerous advantages over what is possible in a classical setting, improving the capabilities of existing applications and allowing for fundamentally new ones to arise.Most notable benefits are related to enhanced communication capabilities leading to increased security, with examples including unconditionally secure client-server communication, blind cloud computing, and secure multi-party computation [Gyongyosi and Imre 2022;Pirandola et al. 2020;Wang et al. 2023].Distribution is also essential to expand quantum computation beyond capabilities of individual quantum-enabled computers to quantum clusters [Kozlowski and Wehner 2019].
The basic unit of communication between two nodes in a quantum network is a distributed Bell pair or EPR pair (named after Bell [1964] and Einstein, Podolsky, and Rosen [1935]) -a pair of quantum bits (qubits), one at each node, that are entangled.Entangled qubits are correlated in a much stronger way than can be achieved with classical information.As entanglement is a fundamentally quantum property, quantum networks must operate within the constraints of quantum hardware, one of which is decoherence -quick degradation of quantum state quality over time.The issues attached to decoherence are compounded with the fact that it is not possible to copy unknown quantum states, which together with noise and qubit loss represent major obstacles to realizing long-distance quantum communication in the spirit of store-and-forward as in classical networks.These factors turn end-to-end distribution of Bell pairs, the core quantum network service, into a stateful task that requires non-trivial runtime coordination between distributed nodes.Moreover, it includes steps like distillation or initial entanglement generation that have intrinsically high probability of failure.
The need for distributed coordination, statefulness, and failure-prone primitive operations all contribute to the complex behavior of quantum network protocols -distributed programs that govern end-to-end distribution of Bell pairs among remote nodes [Illiano et al. 2022;Kozlowski et al. 2023].The scarcity of resources in quantum networks (e.g., memory and communication qubits) prompts intensive resource sharing and competition among quantum network protocols executing in parallel, further increasing protocol complexity.This makes formal reasoning about the network's behavior critical to enable protocol optimization, efficient compilation to hardware, and safe co-existence of multiple protocols, in addition to the verification of correctness properties of individual protocols (e.g., that the Bell pairs are indeed being generated between the right nodes).Quantum networks already require tight coordination, and are thus a natural fit for logically centralized architectures, similar to software-defined networking (SDN), which allow reasoning about global behavior.
To enable global behavior analysis of quantum network protocols, we propose a novel specification language, called BellKAT.We take inspiration from the extensive body of work done with regard to specification of classical networks, particularly NetKAT [Anderson et al. 2014], but present a language with distinct features that cater to the fundamentally new way in which communication occurs in a quantum setting.BellKAT is built on a solid mathematical foundation, called BellSKA, which is a novel algebraic structure enabling equational reasoning about quantum network protocols.The BellSKA structure is in turn based on Kleene algebra (KA) [Kozen 1994], specifically synchronous Kleene algebra (SKA) [Prisacariu 2010], and is designed to tackle roundbased behavior, which is inherent to quantum networks as currently envisioned by the Quantum Internet Research Group (QIRG) 1 of the Internet Research Task Force (IRTF).With BellKAT, it is possible to specify and check properties such as reachability and traffic isolation, as well as manage network resources by predicting occurrences and effects of race conditions.BellKAT can also form the foundation for a unified high-level interface between control and data plane in quantum networks, similar to what OpenFlow [McKeown et al. 2008], and later P4 [Bosshart et al. 2014] and P4-Runtime [P4 API Working Group 2021] became for classical networks.
In addition to formally defining BellKAT, we present soundness and completeness results for its axioms with respect to its denotational semantics.Concretely, we prove soundness and completeness for both a single round, with respect to end-to-end behavior, and for multiple rounds, with respect to execution traces.We design BellKAT to favor expressiveness in order to faithfully represent quantum network behavior.Lastly, we implemented a prototype tool that enables the practical specification of protocols in BellKAT and allows users to verify the effects of protocol executions.In this section, we first introduce the basic concepts surrounding quantum networks, together with their advantages and limitations.Then, we describe the concrete network model proposed by the IRTF's QIRG.Finally, we discuss existing approaches for network specification and verification.
Quantum Networks.Quantum networks are governed by the laws of quantum mechanics, which impose constraints on their design while enabling fundamentally new capabilities that are impossible when only using classical information.The no-cloning theorem prevents copying unknown quantum states without irreversibly altering them [Nielsen and Chuang 2011].This means that it is impossible to forward quantum information following the receive-copy-retransmit paradigm of classical network switches.On the positive side, the no-cloning theorem makes quantum communication inherently secure, allowing for novel applications that are resistant to eavesdropping and man-in-the-middle attacks [Pirandola et al. 2020].
Our work focuses on the core service provided by quantum networks, namely generation and distribution of entangled quantum states.Bell pairs, also called Bell states, form the basis of communication, since all distributed quantum applications (teleportation being most notable) can be built on top of (distributed) Bell pairs [Briegel et al. 1998;Kozlowski et al. 2023].Bell pairs are maximally entangled states, having the strongest possible quantum correlations among two-qubits, which makes them easier to create, distribute, and apply error handling to.For instance, with the entanglement-based quantum key distribution (QKD) protocol E91 [Ekert 1991], which has inherent source-independent security, it is possible to avoid the trusted relays that pose security risks in long-distance implementations of the original QKD protocol BB84 [Bennett and Brassard 2014].
In the following, we provide a high-level overview of key components of a quantum network [Kozlowski and Wehner 2019], which are illustrated in Figure 1.Quantum applications are run on quantum capable end nodes.They must be capable of receiving and processing entangled pairs of qubits.Most architectures rely on hardware that uses a dedicated subset of qubits, called communication qubits, to generate distributed entanglement; once a Bell pair is generated, the constituent qubits can be transferred into memory.A Bell pair is first generated locally by a quantum source, and then one or both of the entangled qubits are transmitted over quantum channels.However, the probability that a photon representing a qubit reaches the target node by direct transmission decreases exponentially with the distance.Hence, entanglement distribution over long distances is implemented using quantum repeaters, making them the core active building blocks of quantum networks [Briegel et al. 1998;Towsley 2021].A quantum repeater acts as an intermediary node between two other nodes, consuming the Bell pairs it shares with each of the other two nodes in order to create a new Bell pair connecting them.To illustrate, the top two end nodes in the network shown in Figure 1 can be entangled via the repeater to which they are connected.This physical process is known as entanglement swapping, and it can be extended with multiple quantum repeaters acting as intermediate nodes.Decoherence (quantum state degradation) is addressed by entanglement distillation (also called purification), the process of generating a single Bell state from two or more imperfect entangled states.When distillation succeeds, the quality of the state is improved.Distillation may, however, probabilistically fail, thus it substantially increases the resource demands [Pompili et al. 2021].In order to distinguish between successful attempts and failures, heralded schemes are deployed that announce when attempts succeed [Wehner et al. 2018].The final crucial components are classical channels, as entanglement generation schemes depend on tight synchronization and timely signaling among remote network entities.
Network Model.This paragraph describes our network model for end-to-end Bell pair creation, which follows the principles of quantum Internet outlined by IRTF's QIRG [Kozlowski et al. 2023].
A quantum network has a classical control plane, as well as two data planes -one classical and one quantum.The control plane is responsible for discovering the network topology, managing resources, and coordinating the actions of the nodes.In addition, it also manages routing and signaling.The classical data plane handles the forwarding of classical packets, while the quantum data plane oversees the generation and distribution of Bell pairs.Several authors propose to embed quantum networks within classical networks and use the existing infrastructure to send and receive control messages [Illiano et al. 2022;Kozlowski and Wehner 2019;Rabbie et al. 2022].This may be achieved by adding a quantum data plane to the classical data plane to build repeaters, and by using both classical and quantum physical channels to connect quantum-capable nodes.End-to-end Bell pair distribution between distant nodes is a stateful, distributed task.The task is initiated by a set of requests for Bell pair creation, each indicating the two endpoints and quality of service parameters.For each request, a quantum virtual circuit [Illiano et al. 2022] between the corresponding endpoints needs to be created, which entails identifying available paths between those end-points.An entanglement routing scheme then (with the use of a traffic engineering function, taking into account the capacity of the routers and channels, and the resources already consumed by other virtual circuits) computes the optimal path, i.e., the best sequence of repeaters and links that guarantees the requested quality of service.Finally, the entanglement generating rules are installed into the data plane of each quantum repeater on the paths.
This work focuses on the specification of these generating rules, which is the way entanglement generating protocols are implemented, enabling formal reasoning.Such specification requires sensible hardware abstractions for quantum networks, similar to those found in classical networks [Anderson et al. 2014].The following abstract building blocks, which we call actions, are the An Algebraic Language for Specifying antum Networks 200:5 Bell pairs.We describe these actions using the following example, to specify two different entanglement generating protocols for the network in Figure 1.The two protocols in Figure 2 generate Bell pairs between nodes and and nodes and , which we denote as ∼ and ∼ , but with different capabilities at the source .At node , both protocols act in the same manner, creating two Bell pairs and sending half of each to .Protocol (a) has node distribute a Bell pair between and and another between and , to obtain ∼ and ∼ , then performs two swaps at with ∼ , resulting in ∼ and ∼ .In contrast, protocol (b) transmits half of each Bell pair created at to a neighbor and keeps the other half in 's memory, leading to ∼ , ∼ , and two copies of ∼ , then performs two swaps at , to obtain ∼ and ∼ , and finally two swaps at , resulting in ∼ and ∼ .In Figure 2 the physical paths connecting nodes and with node are drawn in black, and the red virtual links depict the order in which Bell pairs are being generated.
Adding parallelism among subprotocols can immediately lead to contention between them, as illustrated with the next example.Assume that, due to network constraints, the first round of protocol (a) only succeeds in transmitting Bell pairs ∼ , ∼ , and one copy of ∼ (instead of two).The missing ∼ Bell pair will lead to resource competition.Then, when the second round performs two swaps at in parallel (one that requires ∼ , ∼ to produce ∼ and the other that requires ∼ , ∼ to produce ∼ ), only one of the two swaps will succeed (i.e., either ∼ or ∼ will be produced).On the other hand, if the second round performs the two swaps sequentially on the same input Bell pairs ∼ , ∼ , ∼ , e.g., the swap that aims to produce ∼ is called after the swap for ∼ , the first swap always succeeds and in this case outputs ∼ .
Given the intricacies above, we strive to answer the following questions, which naturally arise: • Does protocol (a) always produce Bell pairs ∼ and ∼ ?
• Are protocols (a) and (b) equivalent?
• Is protocol (a) an optimized version of protocol (b)?
Algebraic Specification.It is natural to ask whether we can draw analogies with existing approaches for the specification and verification of classical networks.In order to benefit from strong mathematical foundations, we opt for an algebraic approach.In classical networks, this line of research originated with the seminal work of Anderson et al. [2014] on NetKAT, a high-level programming language and logic for specifying and reasoning about packet-switched networks.
NetKAT is an instance of Kleene algebra with tests (KAT) whose equational theory is sound and complete with respect to its denotational semantics.The foundation of KAT is Kleene algebra (KA) [Kozen 1994], which has been used for decades as the algebraic structure of finite automata and regular events.KAT is an extension of KA with Boolean actions (called tests) that increases its expressiveness, to the extent that KAT subsumes propositional Hoare logic [Kozen 1997;Kozen and Smith 1997].Quantum actions, the building blocks of our language, are fundamentally different from NetKAT actions, whose assignments and tests are abstractions for packet field modifications and filters, respectively.In addition, quantum packets that represent Bell pairs (network resources) in quantum networks have no counterpart in classical networks, which instead contain classical packets (information carriers).Furthermore, in quantum networks concurrent behaviors cannot be ignored -contrary to the forwarding of packets in classical networks -since, to produce a single end-to-end Bell pair, we need to create and distribute many entangled pairs among the intermediate nodes.On top of that, multiple nodes simultaneously compete for the same Bell pairs.These features, combined with the fact that our actions take several Bell pairs as inputs while NetKAT programs act instead on a single input packet at a time, prevent us from drawing direct analogies with the stateless network model of NetKAT.
Concurrent NetKAT (CNetKAT) [Wagemaker et al. 2022] is an algebraic language for modeling and analyzing stateful, concurrent classical networks.CNetKAT combines the language models of NetKAT and partially-observable concurrent Kleene algebra (POCKA) [Wagemaker et al. 2020], in which tests are replaced with observations that are more suitable for addressing concurrency [Kappé et al. 2020].Parallel CNetKAT programs can execute at different speeds, leading to arbitrary interleavings.Due to resource and time constraints in quantum networks, we need tight synchronization that limits interleaving, and the protocol can be seen as progressing in rounds.Synchronous Kleene algebra (SKA) [Prisacariu 2010] allows for an alternative way of handling concurrency by layering synchronous actions into rounds, providing a formalism more suitable to our setting.However, pure SKA is not capable of faithfully expressing the complex orderings of actions in entanglement-generating protocols.
By contrast, Peng et al. [2022] have successfully applied KA to reason about quantum programs, although not in a distributed setting.Challenges related to quantum applications in a distributed setting have been discussed by Buckley et al. [2023], but no solutions have been proposed.
In summary, compositionality of algebraic structures fits well with the need for scalable and robust quantum network architectures.However, there are many features that existing classical KA structures cannot cater to, as discussed above.The nature of Bell pairs, being distributed across two different network nodes and as constituting undirected network resources, further contrasts with classical packet forwarding.

BELLKAT OVERVIEW
This section presents the principles of our network specification approach.We use the quantum network illustrated in Figure 1 and detailed in Figure 2 as a running example, which motivates and introduces the key elements of our language.Abstractly, a quantum network protocol can be thought of as an automaton that coordinates the distribution of entangled qubits across different nodes, along both physical and virtual quantum links.This distribution is done through generating rules, which are faithful abstractions of hardware behavior.
Network behavior.We divide the entanglement generating protocols in the spirit of Van Meter and Touch [2013] into rounds, each representing a time window.Rounds contain actions, which we refer to as basic actions, that are executed synchronously, i.e., they are performed in the same time window.Progression from one round to the next is represented by sequential composition, while iteration across rounds is encoded using the Kleene star.Basic actions of a single round can only act on the set of Bell pairs present in the network at the start of the corresponding time window, with race conditions emerging if resources are insufficient, i.e., not enough Bell pairs are available.In order for an individual basic action to be successfully executed it must first acquire a specific set of Bell pairs, said to be required by that action, from those available in the corresponding round, and after that use these Bell pairs to generate new entangled pairs.If the required set of Bell pairs cannot be acquired due to insufficient number of Bell pairs, the action is not executed and no Bell pairs are consumed, leaving them available to other actions in the same round.If the action acquires the required Bell pairs but fails to generate a new pair, the acquired Bell pairs are destroyed.A heralding classical signal is sent from the quantum data plane to acknowledge the success or failure of each action.The next round then proceeds in the same manner, acting on the set of Bell pairs either produced or not consumed by the prior round.
Bell pairs.The fundamental unit in quantum networks are Bell pairs, like packets are in classical networks.Yet, unlike packets, qubits carry no headers, therefore control information needs to be sent via separate classical channels.The nodes then correlate this information with the qubits stored in their memory.Another difference is that a Bell pair consists of two qubits distributed across two nodes, and these nodes must coordinate to ensure that they are operating on qubits that belong to the same Bell pair.The identity of nodes entangled via a Bell pair should be properly shared across the network, hence we assume that nodes have unique efficiently representable identifiers.We write ∼ or ∼ to denote a Bell pair between nodes and .For a given qubit in a Bell pair, the node of the other qubit can dynamically change with each action at runtime, making actions stateful, as opposed to the classical mostly stateless packet switching.

Actions.
A basic action has form ⊲ , whose effect entails consuming a multiset of required Bell pairs and producing a multiset of Bell pairs .For example, a swap of ∼ and ∼ at node , denoted sw⟨ ∼ @ ⟩, is represented as {{ ∼ , ∼ }} ⊲ {{ ∼ }}, and a local creation at node , denoted cr⟨ ⟩, can be represented as ∅ ⊲ {{ ∼ }}.Similarly, tr⟨ → ∼ ⟩ represents physically forwarding one qubit of the Bell pair ∼ to node and the other qubit to node , and tr⟨ → ∼ ⟩ represents physically forwarding one qubit of the Bell pair ∼ to node and keeping the other qubit in 's memory; the former can be written as {{ ∼ }}⊲{{ ∼ }}, and the latter as {{ ∼ }}⊲{{ ∼ }}.Modeling failures of actions is necessary to capture decoherence and loss, as well as inherently probabilistic operations like distillation, where di⟨ ∼ ⟩ inputs two copies of ∼ and returns {{ ∼ }} or ∅.We model such failures as ⊲ + ⊲ ∅, where + represents nondeterministic choice.We remark that our actions also abstract away the control operations over the classical network.For example, Bell state measurement performed in the repeater during entanglement swapping requires two bits of classical control signals to be exchanged.
Policies.BellKAT policies are specifications of entanglement generating protocols.Intuitively, policies and can be thought of as functions that take a multiset of Bell pairs as input and return two multisets of Bell pairs: those that were produced and those that were not consumed.Within a single round, the produced Bell pairs and the Bell pairs that were not consumed are kept separate, since the fresh Bell pairs cannot be consumed in the round in which they were generated due to timing constraints.When the round is finished, all Bell pairs in the network are together made available to the next round.Concretely, single round policies are functions from M (BP) to P (M (BP) × M (BP)), and multi-round policies are functions from M (BP) to P (M (BP)); where elements of M (BP) are multisets of Bell pairs, and the ranges are powersets due to nondeterminism.In order to build more sophisticated policies, we introduce policy composition operators.When acting on the input multiset, the union operator ( + ) yields the union of the sets produced by and .The sequential composition operator ( ; ) first applies to the input multiset and then applies to each multiset produced by .The Kleene star operator ( ★ ) expresses iteration.Furthermore, operators ( • ) and ( ∥ ) model ordered and parallel composition of policies, respectively, that occur synchronously within a single round.Here, operator • imposes that has preference over in accessing the available Bell pairs, while ∥ allows for resource competition.Policies of our running example.The entanglement generating protocol in Figure 2a can be expressed with the following policy: Similarly, the generating protocol in Figure 2b can be expressed with the following policy: Histories.Quantum histories record the behaviors that the generating rules produce.Concretely, they capture the order of operations in a given execution of the protocol.To illustrate, the execution histories of protocols P1 and P2 can be seen in Figure 3 below.Unlike NetKAT histories, which encode paths of classical packets, our histories record the basic actions that execute successfully.Histories are not needed for protocol implementation and execution, they are, however, very useful when carrying out verification tasks, as detailed in Section 5.
Tests.Our policies can be guarded by tests, which act as additional explicit checks over the available Bell pairs.These tests check for the absence of multiset elements, in addition to the checking for required Bell pairs that is inherent to every action.This allows us to capture conditional behaviors with expressions of form [ ] + [ ′ ] ′ , with [ ] denoting that policy is guarded by test .
Iterative policies with Kleene star.Due to the probabilistic nature of operations, early generations of quantum networks will inevitably employ the strategy of repeated attempts of distillation and creation [Van Meter et al. 2011].This was demonstrated by Pompili et al. [2021]  generate an entangled pair until the heralding signal announcing success is received.Their protocol involves repeated rounds of distillation -in our language, this iterative behavior is expressed with Kleene star.To showcase the expressiveness of our language, we now specify the protocol of Pompili et al. as a guarded iterative policy.We make use of the network in Figure 2 (a), which has all the necessary components.The goal is end-to-end entanglement distribution between nodes and , by swapping ∼ and ∼ at node .In this scenario, however, before performing the swap, we improve the quality of entangled states ∼ and ∼ with distillation.To achieve this, we first transmit two Bell pairs from the source to the nodes and , and then distill ∼ .The distillation requires two copies of ∼ to produce one copy of the same Bell pair of a higher quality.This is expressed by the policy : Since distillation is an inherently probabilistic operation, must be repeatedly executed until the success signal arrives.With denoting the test that checks for the absence of ∼ , the while-loop of repeated executions is expressed with Kleene star as specified in the policy ; ([ ] ) ★ .Similarly to , an improved Bell state ∼ can be generated by guarded iterations of the policy ′ : This leads to the policy ′ ; ([ ′ ] ′ ) ★ , where ′ tests for the absence of ∼ .Then the repeater swap protocol of Pompili et al. is expressed with the policy below:

LANGUAGE
BellKAT is designed to be a simple but expressive specification language for quantum networks.Its semantics satisfies the axioms of our BellSKA algebraic structure together with additional axioms that capture domain-specific features of entanglement distribution in quantum networks.This section presents the syntax, semantics, and equational theory in a formal manner.For brevity, we omit the detailed proofs, they can be found in the long version of this paper.2

Preliminaries
A Bell pair bp is represented by an unordered pair of nodes.We assume a finite number of nodes 1 , . . ., .Bell pairs may have additional classical metadata, like tags denoting the action by which they were produced, or a timestamp (which we omit here for simplicity).A quantum network must keep track of the Bell pairs it contains.If a multiset ∈ M (BP) contains Bell pairs ∼ , we say that the multiplicity of ∼ in is .We will be using the common terminology of multisets (also called msets or bags) and relations between them.In particular, we write ⊎ ′ for additive union of multisets and \ ′ for multiset difference.When nodes perform a basic action ⊲ , they only need a partial view of the Bell pairs in the network, in order to determine whether the network contains the required multiset of Bell pairs .This permits us to define the network state as a partial function ∼ ↦ → .We will use the terms multiset and (total) network state interchangeably.
Tests act as guards for policies.They are positive Boolean terms over atomic propositions, denoting multiset absence, with an additional operation ⊎.Here, test ∈ M (BP) has the semantics that ⊈ for a given input multiset .In particular, ∅ is a valid test which is false on any multiset.On the other hand, 1 signifies the test which is true on any multiset, i.e., no test.
An atomic action [ ] ▶ ∈ Π behaves the same as a basic action when its required Bell pairs are available and test succeeds, meaning that it consumes the multiset and outputs the multiset together with the unconsumed Bell pairs.On the other hand, when this is not the case, the action aborts, resulting in no output.Atomic actions are the core building blocks (i.e., cannot be decomposed) of our language and thus form the basis for algebraic reasoning.The language users, however, will express their protocol using only basic actions and guards, as illustrated in policies P1, P2, and P3.We note that basic actions are broken down into atomic components as follows: ⊲ ≜ [1] ▶ + [ ]∅ ▶ ∅.(In principle, users could use atomic actions directly to specify quantum protocols, but we advise against it, since it may lead to mistakes like expressing protocols that unintentionally abort or do not correspond to valid quantum operations.)Constant policy 0 acts as abort, and constant policy 1 displays no-op behavior, which is different in different contexts -within a single round it acts as skip, whereas in multirounds it represents the absence of actions, which we refer to as no-round.

Overview
The diagram in Figure 4 overviews the key components of BellKAT's syntax and semantics and relations among them.− interprets policies in P consisting of a single round.Standard interpretation (−) transforms a policy into a set of strings of atomic actions.The semantics ⟦−⟧ of multi-round policies P is defined through ⟦−⟧ that converts each string in Π * to a sequential composition of atomic actions.Formal definitions are elaborated on below and detailed in Figure 5.If is a single round policy, ( ) is a finite set of strings of length one.

Syntax
The complete BellKAT syntax is given in Figure 5. Atomic actions [ ] ▶ together with constants 0 and 1 form the constituents of policies.Users will typically write protocols as (guarded) policies consisting of basic actions ⊲ .We provide shorthand notations for the most common basic actions: With our syntax, it is possible to express basic actions that may fail to generate new Bell pairs even if there are enough required Bell pairs in the network.We write such policies as ⊲ + ⊲ ∅ ≜ ⊲ + fail⟨ ⟩ where, if the required Bell pairs are available, either the multiset of new Bell pairs is created or the action fails, in both cases consuming .For example, for distillation, which is inherently probabilistic, we use the following shorthand notation: Basic actions enable users to specify many other quantum operations, for instance, create a Bell pair between neighboring nodes directly, or variants of distillation that require more that two Bell pairs.We follow the conventional precedence of the operations: ★ > ; > • > ∥ > + , with ★ binding the tightest and + the weakest.For example, 1 ∥ 2 ; 3 + 4 • ★ 5 is parsed as ( 1 ∥ ( 2 ; 3 )) + ( 4 • ( ★ 5 )).

Axioms
In this section we introduce our algebraic structure BellSKA, which is the foundation of the BellKAT language, and its related equational theory.All the axioms are listed in Figure 6.
BellSKA is a KA designed to tackle multi-round behavior, by modeling sequential progress throughout rounds.BellSKA contains two SKAs, catering to two different synchronous behaviors that arise from sequential and parallel compositions of atomic actions within single rounds.
BellKAT is an instantiation of the BellSKA algebraic structure for our multi-round quantum network model.A key aspect of BellSKA are the axioms Net-Prl (stating that and ′ can be applied in any order) and Net-Ord (stating that the former action always acts first) combine language symbols in such a manner that ∥ ′ ∈ Π and • ′ ∈ Π.
Tests follow the monotone axioms of Boolean algebra, with the additional axioms listed in Figure 6.Tests are predicates over multisets of Bell pairs.In BellKAT, tests are part of atomic actions, unlike in KAT, where Boolean algebra is a subalgebra in KA.A guarded policy [ ] is provably equivalent to the expression that adds an additional test to the first round of .For example, axioms SKA-Ord-Dist-L and Net-Ord imply: Single round policies are the terms constructed from basic actions, with the following grammar: Single round policies are composed with single round BellKAT axioms in Figure 6.The resulting algebraic structure (P , +, • , ∥, 0, 1) is a trioid, i.e., (P , +, • , 0, 1) is an idempotent semiring and (P , +, ∥ , 0, 1) is a commutative idempotent semiring.However, trioid axioms are not complete for the underlying single round BellKAT model.To establish single round completeness, we need to add axioms that relate atomic actions which have equivalent single round behaviors.Axiom Sr-Exc, called the exchange law, relates the ordered and parallel structures within single rounds (however, it does not hold for multi-round policies).Concurrency in BellKAT is governed by the synchrony laws SKA-Prl-Seq and SKA-Ord-Seq that relate the sequential and synchronous algebraic structures of multi-round policies.BellKAT's round-by-round architecture provides simple equational reasoning, and at the same time its semantics faithfully expresses the behaviors of quantum networks.We compare BellKAT to other concurrent KAs in the long version of the paper.
The next section deals with the semantics of single round policies, and the following section deals with the semantics of multi-round policies.Importantly, in Section 4.6 we prove that BellKAT's equational theory is sound and complete with respect to the standard interpretation, which permits us to express multi-round policies as sets containing sequential compositions of atomic actions.
as input and returns a set of pairs of multisets as output.Each returned pair of multisets (written ⊲⊳ ′ ) has the freshly created Bell pairs as its first element and the Bell pairs that were not acted on as its second element.The output set can be empty, which models aborting behavior, or it can contain a number of multiset pairs, each one modeling a possible way in which entangled states are distributed between end nodes.In particular, a basic action (which constitutes the user-facing syntax of single round policies) is interpreted as a function that acts by the rule: It creates Bell pairs if the input multiset contains the required Bell pairs , otherwise the entire is passed on.Similarly, an action which may fail is expressed with ⊲ + ⊲ ∅ and produces: ∅ ▶ ∅ -it requires no Bell pairs and produces no Bell pairs.Thus we declare these equivalences as single round axioms Sr-Zero and Sr-One.However, in Section 4.6.2we elaborate why they cannot hold for multi-round policies.
The union operation + denotes a function that produces the union of the sets generated by the operands.Axiom Sr-Plus relates union with disjunction.Ordered composition • models actions that occur in a fixed sequential order within a single round.Intuitively, the actions occurring later in the policy expression can act only on the Bell pairs that have not been used by the previous actions.Contrawise, parallel composition ∥ connects the policies which are to be executed in the same round with no specified order.Definition 4.2.Consider functions , : M (BP) → P (M (BP) × M (BP)).We define • by using the Kleisli composition of functions on the right component.The exact definition is as follows: Definition 4.3.For functions , : M (BP) → P (M (BP) × M (BP)), we define ∥ as: The next example illustrates the difference between ∥ and • when there is resource contention.
Lemma 4.1.For any ∈ F the following properties hold: Lemma 4.2.Functions in F satisfy the trioid axioms in Figure 6 -these are the KA axioms involving the + and the SKA axioms involving • and ∥, excluding the axioms that contain ; or ★ .We conclude with an example, showing that parallel composition of actions does not simply reduce to interleaving.Accordingly, Example 4.2.Consider the following basic actions and the multiset = {{ ∼ , ∼ , ∼ , ∼ }}: In contrast, in • ( ∥ ( ′ • ′ )) function acts first on consuming ∼ , meaning that ′ cannot act on \{{ ∼ }}.Similarly, in ′ • (( • ) ∥ ′ ), ′ acting on prevents from acting on \{{ ∼ }}.This proves that, 4.5.2Completeness of Single Round.Next we prove the completeness of BellKAT axioms with respect to the denotational semantics of a single round.This means that single round BellKAT expressions which are semantically equal, are provably equivalent by BellKAT axioms.In order to prove completeness, we will find a normal form of policies that captures their semantic meaning.Definition 4.5 (Normal form of tests).A test is in normal form if it is a finite conjunction of multiset absences (by convention, empty conjunction is test 1), = , where ∈ M (BP), and for no two multisets and ′ in the inclusion ⊆ ′ holds.
Lemma 4.6.Every test is equivalent to a test in normal form ( ).Moreover, if tests in normal form have the same test semantics, they are syntactically identical (up to permutations of conjuncts).Definition 4.6 (Canonical form of tests).Let be a test and ( ) = its normal form.The normalized test of ( ∪ ) is called canonical form of with respect to .Canonical form of 1 is 1.
Lemma 4.7.Let = [ ] ▶ and ′ = [ ′ ] ▶ be atomic actions.Then = ′ if and only the canonical forms of and ′ with respect to coincide.Definition 4.7 (Normal form of policies).A policy is in normal form if it is a finite sum, s.t.every summand has a unique ( , ) pair with the corresponding in canonical form w.r.t. and ≠ : A corollary of Lemma 4.7 is that an atomic action [ ] ▶ aborts if and only if the canonical form of is .This ensures that normal form of a policy is unique as stated in the next lemma.
Lemma 4.8.Every single round policy is normalizable, i.e., it is provably equivalent to a policy in normal form.Furthermore, policies in normal form with the same single round semantics coincide.
The proofs of the above lemmas (provided in the long version of the paper, where we also include examples of policies in normal form) follow by rigorously applying the definitions.

Semantics of Multi-Round Policies
In this section we tackle the standard issue with the algebraic models dealing with concurrency, also encountered by Wagemaker et al. [2020Wagemaker et al. [ , 2022]]: some behaviors of an executed policy can only be observed when executed concurrently with another policy, and not in isolation.This goes against the algebraic approach, which requires capturing policy behavior in all contexts.Hence, in the sequel, we include complete execution traces in the semantics that do not directly correspond to the observable end-to-end behavior.We present the standard interpretation of policies by defining a homomorphism that maps a policy (as an expression in BellSKA and obeying axioms in Figure 6) into a synchronous set of strings of atomic actions.
4.6.1 Soundness and Completeness of BellSKA.
Definition 4.8 (Synchronous policy sets).In a quantum network, consider the set of atomic actions (denote them by , ∈ Π).String policies over Π are strings of atomic actions including the empty string (denote them by , ∈ Π * ).A synchronous policy set is a set of policy strings in P (Π * ) (denoted by , ).Consider the following definitions and operations on synchronous policy sets, where denotes the concatenation of strings and in Π * , with layer-by-layer ordered composition • ∈ Π * and layer-by-layer parallel composition ||| ∈ Π * , defined respectively by the rules, where • and ∥ are the atomic action obtained by the axioms Net-Ord and Net-Prl in Figure 6.The powers of are defined recursively as 0 ≜ { } and ≜ ; −1 .By convention ★ always contains the empty string, thus when = ∅ we set ★ = { }.
Theorem 4.1.Any set of synchronous policy sets that contains 0 and 1 and is closed under the operations of Definition 4.8 is a BellSKA.
Theorem 4.1 shows that any subalgebra of P (Π * ) is also a BellSKA (see Definition 4.1).Let BellSKA be the smallest algebra that contains 0, 1 and all ∈ Π in a given quantum network.Definition 4.9 (Standard interpretation).Consider the set of policies P as a BellSKA term algebra.Standard interpretation : P −→ BellSKA maps the generators of P by the rule ( ) = { } and (1) = { }, (0) = ∅, and is then homomorphically extended as: Standard interpretation provides a deterministic algorithm for obtaining a model for BellSKA policies.Indeed, for a given policy we recursively apply homomorphism to obtain a set of synchronous strings, as illustrated on the next example.
Example 4.3.Consider policies and that are sequential compositions of atomic actions, ) therefore they are interpreted as singletons.Then, ( ∥ ) is given by the Net-Prl axiom: The theorem below shows that ( ) is regular for any policy .The automata constructed in the proof of completeness can be also used to decide if ( ) = ( ). 4.6.2Multi-Round Policies as Functions.The denotational semantics of multi-round BellKAT is defined in Figure 5.In summary, ⟦−⟧ : P → M (BP) → P (M (BP)) is defined through the standard interpretation as ⟦ ⟧ ≜ ∈ ( ) ⟦ ⟧ , where ⟦−⟧ : Π * → M (BP) → P (M (BP)) is recursively defined as ⟦ ⟧ ≜ ⟦ 1 ⟧ • ⟦ 2 . . .⟧ , with (•) denoting the Kleisli composition: Next we show that executions of provably equivalent policies produce the same Bell pairs.
Proof.The soundness of multi-round policies follows from the soundness of both the standard interpretation (Theorem 4.1) and single round policies (Corollary 4.1).A key aspect is that all ∈ Π are considered as actions that require time, whereas 1 is considered as the absence of actions (hence the name no-round).This is why we exclude the Sr-One axiom from multi-round policies.□ Remark 4.1 (Atomic actions ∈ P vs. ∈ P s ).For an atomic action , its multi-round and single round semantics are closely related.Syntactically, we replace ⊎ with ⊲⊳ in the definitions of ⟦ ⟧ and .This means that ⊲⊳ separates the freshly created Bell pairs from the unused Bell pairs within a single round, as opposed to ⊎ that combines both multisets to be offered to the next round.
The following example illustrates that the nature of quantum networks does not permit compositional observational reasoning at the level of end-to-end behavior when actually executed.The end-to-end behavior is captured by our multi-round denotational semantics, which assumes isolated execution.This is consistent with our quantum network architecture, which, before execution, installs the policy into the network as generating rules.It is precisely the behavior of these rules that we want to analyze -any future policy modifications, including composition with other policies, would require a separate analysis.We construct a policy whose semantics is abort, however when run in parallel with another policy, their combined meaning produces Bell pairs.Example 4.4.Recall the policies and in Example 4.3.From ( ) we read that the first round always creates ∼ , and the test in the second round only passes the multisets which do not contain ∼ , thus ⟦ ⟧ = ⟦0⟧ = ∅ is abort.On the other hand, we showed that ( ∥ ) is a singleton containing which on the empty input produces: This illustrates that no set of axioms is sound and complete w.r.t.⟦−⟧, else the application of Leibniz rule of inference on ≡ 0 would lead to ∥ ≡ 0 ∥ ≡ 0, which contradics ∥ 0. The next example shows that BellKAT axioms are not complete w.r.t.⟦−⟧, even for the fragment of policies generated with basic actions ⊲ .The following policies have clearly distinct second rounds, however semantically they behave the same on all the inputs provided by the first round.4.6.3Equivalence Checking for Isolated Policy Behaviors.This section presents the tools to reason about actual end-to-end execution of policies, at which point it is appropriate to factor in the system constraints, in particular, finite qubit memory at the end nodes.We explicitly deal with atomic actions whose execution leads to constraint violation.Specifically, we introduce an invalid network state ⊥ and a notion of valid policies (policies that do not reach invalid states).Example 4.5 with ⟦ ⟧ = ⟦ ⟧ and , shows that checking whether ⟦ ⟧ = ⟦ ⟧ requires techniques beyond the equational reasoning we have been focused on so far.On a high level, ⟦−⟧ is designed to faithfully model the network's behavior, i.e., how protocols represented by policies are executed; thus, some information about how a policy would behave when composed with other policies gets lost, as illustrated in Example 4.4.Such information should be present for soundness and completeness to hold as the congruence rule of inference implies that equivalent functions must behave equivalently in all contexts.Concretely, Theorem 4.2 guarantees that equational theory is complete w.r.t. the standard interpretation (−), which is thus not a proper reflection of ⟦−⟧.
The meanings (−) and ⟦−⟧ cater for different applications, namely, standard interpretation is useful for policy optimization (capturing the behavior in all contexts) and end-to-end meaning facilitates policy verification (whether the policies in isolation do what they were meant to).The difference between the meanings stems from the shared nature of resources (Bell pairs) that policies use and produce; through these resources the policies affect each other's behavior when composed.
To reason about ⟦−⟧, we keep track of the current network state (multiset of Bell pairs).There is only a finite number of valid network states, denoted by N ⊆ M (BP), as both the number of nodes in the network and the number of Bell pairs between any two nodes is bounded.Since N captures the network hardware constraints (e.g., number of available memory qubits), we fix it globally to simplify the definitions.Moreover, we allow further restriction on the set of initial network states N 0 ⊆ N in which policies start execution.N 0 specifies properties of the initial network state, e.g., N 0 = ∅ signifies that there are no Bell pairs present yet.Hence, the goal is to check whether for all ∈ N 0 we have ⟦ ⟧ = ⟦ ⟧ , denoted as ⟦ ⟧ = N 0 ⟦ ⟧.
Definition 4.10.A BellKAT policy is valid with respect to N 0 ⊆ N if and only if any network state, encountered during any execution of on an input from N 0 , is also in N .
If we consider a finite Π ′ ⊆ Π, we can build a transition system G(Π ′ ) with N ⊥ = N ∪ {⊥} as states and Π ′ as actions; states in N 0 are initial, states in N are terminal, and ⊥ is an invalid network state, for , ′ ∈ N there is a transition from to ′ labelled with iff ′ ∈ ⟦ ⟧ , and there is a transition from to ⊥ labelled with iff ⟦ ⟧ \ N ≠ ∅.At the same time, for a policy we can build an automaton A ( ) as in the proof of Theorem 4.2, which can be seen as another transition system with the set of actions Π = { ∈ | ∈ ( )}.Finally, we can build a transition system G(Π ) ∥ Π A ( ) that is a parallel composition of G and A ( ) with handshaking on the set of actions Π (see [Milner 1989]), i.e., the set of states is N × states(A ( )) and there is a transition from ( , ) to ( ′ , ′ ) labelled with iff there are -labelled transitions from to ′ in G and from to ′ in A ( ).Such a transition system captures isolated behavior of .
These definitions of transitions in G(Π ) and A ( ) yield the next lemma.As a consequence, we obtain a tool to reason about the equality of policies w.r.t.⟦−⟧ in Theorem 4.4.Furthermore, in Theorem 4.5 we also show that the validity of a policy is decidable.The actual implementation of the decision procedure, does not explicitly build G(Π ) due to its large size, but constructs G(Π ) ∥ Π A ( ) directly, adding states from N in a lazy manner.Lemma 4.9.Let ∈ P, ∈ N 0 , and ′ ∈ N .Then, ′ ∈ ⟦ ⟧ if and only if there is an execution of G(Π ) ∥ Π A ( ) starting in state ( , ) and ending in ( ′ , ′ ) for some and ′ in states(A ( )).
Proof.The question of ⟦ ⟧ = N 0 ⟦ ⟧ can be reduced to checking whether for any ∈ N 0 , ′ ∈ N , ′ ∈ ⟦ ⟧ ⇔ ′ ∈ ⟦ ⟧ .Since N is finite, the latter can be answered with Lemma 4.9.□ Theorem 4.5.Policy is valid if an only if there is no execution in G(Π ) ∥ Π A ( ) ending in the state (⊥, ′ ) for some ′ in A ( ).

QUANTUM NETWORK VERIFICATION
The limitations of hardware, such as low rates of Bell pair generation, short memory lifetimes, and limited numbers of communication qubits, make competition for resources unavoidable.This competition is the main motivation for formal reasoning about quantum network properties.
BellKAT's equational theory and the decidability result, following from Theorem 4.2, can be used to verify that policies are equivalent in all contexts, facilitating modular policy optimization, while the decidability result in Theorem 4.4 can be used for network verification by translating certain network properties to checking equivalences between end-to-end policy behaviors.
BellKAT serves as an intermediate layer when verifying distributed quantum applications, separating them from low level implementations of quantum actions.Users specify protocols as BellKAT policies, typically starting with a round of create actions.Before deploying the policies on a quantum network, users will verify that resource sharing, arising either from concurrency within the policy or due to composition with other policies, will not impede the desired Bell pair generation.
Verification tasks.The following properties translate naturally from classical networks to the quantum setting of entanglement distribution.
• Reachability.The most basic property of interest is whether the execution of a policy is able to generate the requested entanglement between end nodes.• Waypoint correctness.We may wish to guarantee that an entanglement generating protocol always performs the swapping operation through certain nodes.• Traffic (protocol) isolation.Composition of policies may lead to undesired behaviors, such as race conditions.In light of this, it is desirable to prove non-interference properties that ensure isolation between executions of the composed policies.• Compilation.Establishing the correctness of the compilation process is a necessary final step for ensuring correct deployment.
The following properties, which do not have a clear counterpart in classical networks, are posed as resource constraint problems.
• Resource utilization.What is the number of required memory locations and communication qubits?For how many rounds must Bell pairs be kept in the memory?• Quality of service.Does the network have the required capacity (i.e., number of created end-to-end Bell pairs per second), and what is the confidence in their quality?• Network state access.Can we minimize the number of costly accesses to the network global state in a policy?Such optimization can significantly reduce the coordination effort.
From histories it is possible to read whether an underlying protocol obeys the hardware constraints (e.g., the number of communication and memory qubits, as illustrated in Figure 3), and also suggest how to optimize resource allocation over rounds.It is worth noting that Bell pairs between the same two nodes are indistinguishable for most applications, which can lead to more efficient provisioning of resources.In addition, the information recorded in histories could shed some light on the order among communication channels, as investigated by Chandra et al. [2022].
Decidability and Verification.Some of the tasks above can be solved by a directed application of the decidability results of Section 4.6.An example of verifying the reachability property would be to check whether policy always or never generates an entangled pair ∼ ; concretely, we can check if ( ; [1]{{ ∼ }} ▶ {{ ∼ }}) ≡ N 0 or ( ; [{{ ∼ }}]∅ ▶ ∅) ≡ N 0 using Theorem 4.4.We can also verify resource utilization, with an important practical task being to analyze memory requirements of a policy , achieved by trying different sets of valid states N while keeping track of whether remains valid (see Theorem 4.5).In addition, to verify correctness of the compilation procedure compile : P → P on a policy , we can again use Theorem 4.4 to ensure ≡ N 0 compile( ).A single optimization step opt : P → P can be checked with ⊢ ≡ opt( ) using Theorem 4.2.
Prototype implementation.For a given policy, BellKAT histories are records of the successful basic actions ⊲ and the order in which they occur.We implemented a prototype in Haskell which produces a set of histories from a given policy.For improved visualization, the prototype can also illustrate histories as shown in Figure 3. Furthermore, it can check the validity and equality of policies by implementing the decision procedure described in Section 4.6.3.This procedure allows us to verify concrete properties, such as those discussed in the previous paragraph.A last feature of note is our prototype's ability to perform network slicing, which facilitates modular construction of policies by tagging them with unique identifiers in order to keep them differentiated, similar to the concepts of NetKAT slices and boxes by Brunet and Pym [2020].By appending such (classical) metadata to Bell pairs it is possible to model basic interactions between control plane and classical and quantum data planes.Our prototype is open source and freely available as an online artifact. 36 CONCLUSION Successful integration of classical and quantum networks will provide novel solutions for secure communication tasks, pave the way to distributed quantum computing, and enable other large scale applications of quantum communication technologies.Significant research and engineering efforts are still required until quantum networks reach full functionality.Our work focuses on the specification of entanglement generating protocols, taking into account the distinctive features of entanglement as the main communication resource.With BellKAT, we provide a foundational model for quantum network programming languages in a threefold manner.(1) We present a solid algebraic foundation, called BellSKA, on which the BellKAT language and logic is based.BellKAT's axioms faithfully encode the network behavior and allow for equational reasoning.(2) We showcase the expressiveness of BellKAT by specifying a number of entanglement generating protocols, including the only long distance repeater protocol currently realized in practice [Pompili et al. 2021].(3) We implemented a prototype to support the practical specification of protocols and verification of relevant properties.The capabilities of our prototype are complementary to those of existing simulators like NetSquid [Coopmans et al. 2021].
The BellKAT formalism and its underlying BellSKA structure open exciting new research avenues, including (i) the formalization of probabilistic phenomena of quantum networks, (ii) the extension of BellKAT to handle quantum states other than Bell pairs, (iii) the investigation of additional BellKAT semantic models to cater to more verification tasks, and (iv) the exploration of possible uses of BellSKA.For (i), we envision extending BellKAT with probabilistic semantics by adding a random choice operation (+ ) for specifying probabilities, similar to the work of Foster et al. [2016] and Smolka et al. [2019b].For (ii), actions could, for instance, be generalized to handle the transmission of single qubits {{ }} ⊲ {{ }}, or the creation of EPR pairs from tripartite states {{ ∼ ∼ }} ⊲ { {{ ∼ }}, {{ ∼ }}, {{ ∼ }} } with the distillation process of Dür et al. [2000].For (iii), a potential semantic extension could record the state of the network at the end of each round, allowing for the capture of intermediate results.For (iv) we could consider possible instantiations of BellSKA to handle other systems exhibiting 2-dimensional behavior (e.g., bulk-synchronous parallel model [Valiant 1990] or hardware design [Halbwachs et al. 1991]) and, furthermore, identify a guarded fragment of BellKAT that is regular, similar to the work of Smolka et al. [2019a].

Fig. 1 .
Fig. 1.Illustration of a quantum network with five nodes.

Fig. 3 .
Fig. 3. Sample execution histories of the two protocols in Figure 2, generating Bell pairs ∼ and ∼ in different ways.The histories shown in (a) have three rounds and one swap each, and the histories shown in (b) have four rounds and two swaps each.Actions are annotated in gray, but they are not part of the execution histories.

Fig. 4 .
Fig. 4. Overview of BellKAT key ingredients: arrows → and indicate soundness and completeness, → is restriction from multi-round to single round policies.Single round meaning factors (→) thorough (−), which modifies a single round policy into its normal form.→ signifies merging the freshly produced with unused Bell pairs.
Lemma 4.4.The − meaning of network axioms and single round axioms in Figure6is sound.
Proposition 4.1 (Completeness).Let , be single round policies such that = .Then and are provably equivalent by the BellKAT axioms.Proof.By the definition of single round policies, and are in F .By Lemma 4.8 policies and are provably equivalent to their normal form ⊢ ≡ ( ) and ⊢ ≡ ( ).Then soundness in Corollary 4.1 yields = ( ) and = ( ) .Completeness then follows from the implication ( ) = ( ) ⇒ ( ) = ( ) proven in Lemma 4.8.□ Theorem 4.2 (completeness w.r.t.standard interpretation).Policies , ∈ P are equal under the standard interpretation if and only if they are provably equivalent using BellKAT's axioms.That is, ( ) = ( ) if and only if ⊢ ≡ .
otherwise In contrast with basic action, semantics of an atomic policy [ ] ▶ produces the empty set if either test ⊆ or ⟨| | ⟩ fails.Semantically, tests act as guards of atomic actions to which they are atomically tied.The intuition behind our definition of ⟨| ⊎ | ⟩ is that ⟨| ′ ⊎ | ⟩ checks for multiset absence ′ ⊎ ⊈ (one can prove that the definition (⟨| ′ | ⟩ \ ∧ ⊆ ) ∨ ⟨| | ⟩ is symmetric), and the general case follows by distributivity of ⊎ over ∧ and ∨.The relation between the test and the inclusion test for in [ ] ▶ is captured with the Sr-Can axiom.Tests can model filters with the action [ ]∅ ▶ ∅ .Constant 0 aborts on every input and behaves as the action [∅] ▶ with arbitrary and , since test ∅ will only succeed for a given if ∅ ⊈ .Constant 1 acts as skip and has the same behavior as [1]