Upload
gejikeiji
View
217
Download
0
Embed Size (px)
Citation preview
8/9/2019 1 Round 070907
http://slidepdf.com/reader/full/1-round-070907 1/27
Using Prior-Entanglement for Honest Provers
Julia Kempe∗[email protected] Hirotada Kobayashi†[email protected] Keiji Matsumoto†[email protected]
Thomas Vidick ‡
∗Department of Computer Science
Tel Aviv University
Tel-Aviv 69978, Israel
†Principles of Informatics Research Division
National Institute of Informatics
2-1-2 Hitotsubashi, Chiyoda-ku, Tokyo 101-8430, Japan‡Computer Science Department
Ecole Normale Superieure
Paris, France
7 September 2007
Abstract
The central question in quantum multi-prover interactive proof systems is whether or not the prior entangle-
ment shared by provers affects the verification power of proof systems. Although it is often stated that sharing
prior entanglement has possibility both to strengthen and to weaken the power of quantum multi-prover in-
teractive proof systems, all the existing studies focus only on the negative aspects of prior entanglement, i.e.,
whether or not dishonest but prior-entangled provers can break proof systems that are sound for any dishonest
and prior-unentangled provers. This paper studies the positive aspects of prior entanglement and shows that
prior entanglement is useful even for honest provers. By allowing honest provers to share prior entanglement,
the following important properties are proved for quantum multi-prover interactive proof systems:
• Any quantum k-prover interactive proof system with two-sided bounded error can be modified to a quan-
tum k-prover interactive proof system with one-sided bounded error of perfect completeness, for any k.
• Any quantum multi-prover interactive proof system can be parallelized to a one-round quantum multi-
prover interactive proof system. More precisely, any general quantum k-prover interactive proof system for
some polynomially bounded k with two-sided bounded error can be parallelized to a one-round quantum
k-prover interactive proof system for another polynomially bounded k of perfect completeness with
exponentially small error in soundness.
• Any quantum k-prover interactive proof system can be modified to a public-coin quantum k-prover inter-
active proof system, for any k.
• Any language in QIP (and thus in PSPACE) has a two-prover one-round quantum interactive proof
system of perfect completeness with exponentially small error in soundness.
All of these properties except for the first one are not known to hold when considering only prior-unentangled
honest provers, and thus give first evidence that sharing prior entanglement may be advantageous even to honest
provers. Also, the third property is in contrast to the classical case in which classical public-coin multi-prover in-
teractive proofs are only as powerful as classical single-prover interactive proofs, and thus, cannot be as powerful
as general classical multi-prover interactive proofs unless NEXP = PSPACE.
8/9/2019 1 Round 070907
http://slidepdf.com/reader/full/1-round-070907 2/27
1 Introduction
Multi-prover interactive systems are an important generalization of interactive proof systems [14, 4], and were
originally introduced by Ben-Or, Goldwasser, Kilian, and Wigderson [7] for the purpose of removing intractability
assumption from the zero-knowledge proofs for NP. Babai, Fortnow, and Lund [5], combining the result by
Fortnow, Rompel, and Sipser [13], showed that the class MIP of languages having a multi-prover interactive proof
system is equal to NEXP, which leads to the development of the theory of inapproximability in the framework of
probabilistically checkable proofs [11, 3, 2].
In a multi-prover interactive proof system, a verifier communicates with not only one but multiple provers,
while provers cannot communicate with each other prover and cannot know messages exchanged between the veri-
fier and other provers. It is easy to see that allowing provers to share randomness a priori does not change the power
of multi-prover interactive proof systems (except for zero-knowledge properties [6]). When considering a quantum
version of multi-prover interactive proof systems, however, one may allow provers to share entanglement a priori.
Particular cases are protocols with two provers initially sharing lots of EPR pairs. In general, provers may initially
share any kind of entanglement, not limited to the EPR-type ones. In fact, the central question in quantum multi-
prover interactive proof systems is whether or not this prior entanglement shared by provers affects the verification
power of proof systems. Kobayashi and Matsumoto [18] introduced the quantum multi-prover interactive proof
systems with a quantum verifier, and proved that the class of languages having a quantum multi-prover interactiveproof system is necessarily contained by NEXP when provers share at most polynomially many prior-entangled
qubits, and is equal to NEXP when they do not share any prior entanglement. Cleve, Høyer, Toner, and Wa-
trous [10] studied the multi-prover interactive proof systems in which a verifier remains classical but provers may
initially share entanglement, and presented several protocols for which shared EPR pairs can increase the power
of dishonest provers. They also proved that the class of languages having some restricted version of multi-prover
interactive proof system, denoted by ⊕MIP∗(2, 1), is contained by EXP for any two-sided bounded error when
provers are allowed to share prior entanglement (Wehner [27] improved the upper bound to QIP(2), the class of
languages having a two-message quantum interactive proof system), which is in contrast to that the corresponding
class ⊕MIP(2, 1) without allowing prior entanglement is equal to NEXP for some two-sided bounded error. Very
recently, Kempe, Kobayashi, Matsumoto, Toner, and Vidick [15] showed the limits of the power of dishonest entan-
gled provers in some quantum and classical multi-prover interactive proof systems for NP, NEXP, and PSPACE.Sun, Yao, and Preda [24] and Cleve, Gavinsky, and Jain [9] proved similar limits in some different classical multi-
prover interactive proof systems for NP. However, the gaps between the completeness and soundness accepting
probabilities are not satisfiably large for all these results.
All these studies focus only on the negative aspects of prior entanglement, i.e., whether or not dishonest but
prior-entangled provers can break proof systems that are sound for any dishonest and prior-unentangled provers.
However, more surprisingly, currently no upper bound is known on the power of quantum multi-prover interactive
proofs (or even the case in which a verifier remains classical) when provers are allowed to share arbitrarily huge
amount of prior entanglement. This suggests the possibility that the prior entanglement may be advantageous even
to honest provers. Indeed, it is often stated that sharing prior entanglement has possibility both to strengthen and
to weaken the power of quantum multi-prover interactive proof systems, although, to the best knowledge of the
authors, all the previous studies analyze only the negative aspects of prior entanglement.
This paper studies the positive aspects of prior entanglement and shows a number of general properties of
quantum multi-prover interactive proof systems by intensively using prior entanglement for honest provers, which
gives the first evidence that prior entanglement is useful even for honest provers. The main technical theorem of
this paper is that any quantum k-prover interactive proof system that may involve polynomially many rounds can
be parallelized to a one-round quantum (k + 1)-prover interactive proof system by allowing honest provers to share
prior entanglement, in which the gap between completeness and soundness accepting probabilities is still bounded
by an inverse-polynomial. More precisely, letting QMIP(k,m,c,s) denote the class of languages having an m-
turn quantum k -prover interactive proof system with completeness accepting probability at least c and soundness
1
8/9/2019 1 Round 070907
http://slidepdf.com/reader/full/1-round-070907 3/27
accepting probability at most s, we have the following theorem.
Theorem (Theorem 7). Let k , m : Z+ → N be polynomially bounded functions and let c, s : Z+ → [0, 1] be any
functions that satisfy c − s ≥ 1 p for some polynomially bounded function p : Z+ → N. Then, there exists another
polynomially bounded function p : Z+ → N such that QMIP(k,m,c,s) ⊆ QMIP
k + 1, 2, 1, 1 − 1 p
.
Remark. Although the term “round” is commonly used in classical multi-prover interactive proofs for describingeach set of verifier’s questions and the corresponding provers’ responses, the term “turn” is often used instead of
“round” in this paper. One round consists of two turns: the turn for a verifier and the turn for provers.
Since it is easy to amplify the success probability without increasing the number of rounds by running multiple
attempts of a protocol in parallel using a different set of provers for every attempt, the above theorem essentially
shows that one-round (i.e., two-turn) quantum multi-prover interactive proofs are as powerful as general quantum
multi-prover interactive proofs.
Corollary (Corollary 8). Let k, m : Z+ → N be polynomially bounded functions and let c, s : Z+ → [0, 1] be any
functions that satisfy c − s ≥ 1 p for some polynomially bounded function p : Z+ → N. Then, for any polynomi-
ally bounded function p : Z+ → N , there exists another polynomially bounded function k : Z+ → N such that
QMIP(k,m,c,s) ⊆ QMIP(k, 2, 1, 2− p
).
The proof of our main technical theorem basically consists of three parts.
The first part is a pre-processing that converts any quantum k-prover interactive proof system with two-sided
bounded error into a quantum k-prover interactive proof system with one-sided bounded error of perfect complete-
ness. The second part proves that any quantum k-prover interactive proof system that may involve polynomially
many turns can be parallelized to one that involves only three turns (messages from provers followed by questions
from a verifier followed by responses from provers) in which the gap between completeness and soundness ac-
cepting probabilities is still bounded by an inverse-polynomial. Finally, the third part proves that any three-turn
quantum k-prover interactive proof system with sufficiently large gap between the completeness and soundness
accepting probabilities can be converted into a two-turn (i.e., one-round) quantum (k + 1)-prover interactive proof
system in which the gap between the completeness and soundness accepting probabilities is bounded by an inverse-
polynomial.For the first and second parts, similar statements are already shown by Kitaev and Watrous [17] for the single-
prover quantum interactive proofs. Their proofs, however, heavily rely on the fact that a quantum prover can apply
arbitrary operators over all the space except for the private space for a verifier. This is not the case for the quantum
multi-prover interactive proofs, since now each quantum prover cannot touch the qubits in the private spaces and
the message channels for other quantum provers, in addition to those in the private space for a verifier. Therefore,
new techniques are required for the multi-prover case.
For making proof systems perfect complete, our basic idea is to use the quantum rewinding technique developed
for quantum zero-knowledge proofs by Watrous [26] in a different way. In our case we use it to “rewind” an
unsuccessful computation that would result in rejection into a successful one. To apply the quantum rewinding
technique, we first modify the protocol so that the honest provers can convince the verifier with probability exactly12 if they optimize their initial state to share. This initial shared state corresponds to the auxiliary input in the caseof quantum zero-knowledge proofs, and thus, the sequence of forward, backward, and forward executions of the
protocol basically achieves the perfect completeness. The obvious problem of this construction lies in soundness
in that dishonest provers may not use the same strategies for all of the three executions of the protocol. To settle
this, we design a simple protocol that tests if the second backward execution is indeed a backward simulation
of the first forward exection. The verifier performs either the original rewinding protocol or this invertibility test
chosen uniformly at random without revealing which test is undergoing. This forces the provers to use essentially
same strategies for the first two executions of the protocol, which is sufficient to bound the soundness accepting
probability.
2
8/9/2019 1 Round 070907
http://slidepdf.com/reader/full/1-round-070907 4/27
For parallelization, our approach is to show that any quantum k-prover interactive proof system with sufficiently
large gap between the completeness and soundness accepting probabilities can be converted into another quantum
k-prover interactive proof system (with some weaker completeness and soundness conditions) in which the number
of rounds (turns) becomes almost half of that in the original proof system. The idea to prove this is that the verifier
first receives the snapshot state after (almost) half of turns have been executed in the original system, and then
executes a forward-simulation of the original system from that turn with probability 1
2 and a backward-simulation
of the original system from that turn with probability 12 . The honest provers have only to simulate the original
system to convince the verifier, while any strategy of dishonest provers with unallowably high success probability
would lead to a strategy of dishonest provers in the original system that contradicts the soundness condition. By
repeatedly applying this modification together with appropriate use of sequential repetition as a preprocessing,
we can convert any quantum k-prover interactive proof system into a three-turn quantum k-prover interactive proof
system in which the gap between the completeness and soundness accepting probabilities is bounded by an inverse-
polynomial. If k = 1, this gives a simpler proof of the parallelization theorem due to Kitaev and Watrous [17] for
single-prover quantum interactive proofs.
To prove the third part, we will take a detour by proving (i) any three-turn quantum k-prover interactive proof
system with sufficiently large gap between the completeness and soundness accepting probabilities can be modified
to a three-turn public-coin quantum k-prover interactive proof system (with some weaker completeness and sound-
ness conditions), and (ii) any three-turn public-coin quantum k-prover interactive proof system can be converted
into a two-turn quantum (k + 1)-prover interactive proof system without changing the completeness and sound-
ness accepting probabilities. The notion of public-coin quantum multi-prover interactive proofs we use is a natural
generalization of public-coin quantum interactive proofs in the single-prover case introduced by Marriott and Wa-
trous [19]. Intuitively, at every round, a public-coin quantum verifier for quantum multi-prover interactive proof
systems flips a fair classical coin at most polynomially many times, and then simply broadcasts the result of these
coin-flippings to all the provers. The property (i) is a generalization of the result by Marriott and Watrous [19]
to the multi-prover case, whereas the property (ii) is completely new. The idea to prove (ii) is to send questions
only to the first k provers to request the original second messages from the k provers in the original system and
to receive from the (k + 1)-st prover the original first messages from the k provers in the original system without
asking any question to him. The public-coin property of the original system implies the nonadaptiveness of the
messages from the verifier, which is essential to prove (ii). In fact, there is a way of directly proving the thirdpart, but our detour enables us to show another two important properties of quantum multi-prover interactive proof
systems. Specifically, the property (i) essentially proves the equivalence of public-coin quantum k-prover interac-
tive proofs and general quantum k -prover interactive proofs, for any k, while the property (ii) for the case k = 1implies that any language in QIP (and thus in PSPACE) has a two-prover one-round quantum interactive proof
system of perfect completeness with exponentially small error in soundness, since any language in QIP has a three-
message public-coin quantum interactive proof system of perfect completeness with exponentially small error in
soundness [19].
Corollary (Corollary 13). Let k, m : Z+ → N be polynomially bounded functions and let c, s : Z+ → [0, 1] be any
functions that satisfy c − s ≥ 1 p for some polynomially bounded function p : Z+ → N. Then, for any polynomially
bounded function p : Z+
→ N , there exists another polynomially bounded function m : Z+
→ N such that any
language in QMIP(k,m,c,s) necessarily has an m-turn public-coin quantum k-prover interactive proof system
of perfect completeness with soundness accepting probability at most 2− p.
Corollary (Corollary 15). For any polynomially bounded function p : Z+ → N , QIP ⊆ QMIP(2, 2, 1, 2− p).
Note that, in the classical case, public-coin multi-prover interactive proofs are only as powerful as single-prover
interactive proofs, because that every prover receives the same question from the verifier means that every prover
can know how other provers will behave. Hence, they cannot be as powerful as general classical multi-prover
interactive proofs unless NEXP = PSPACE. In contrast, our result shows that, in the quantum case, public-coin
3
8/9/2019 1 Round 070907
http://slidepdf.com/reader/full/1-round-070907 5/27
quantum multi-prover interactive proofs are as powerful as general quantum multi-prover interactive proofs. The
reason for the nontriviality of public-coin quantum multi-prover interactive proofs may be explained as follows:
even if every quantum prover can know how other quantum provers will behave, still each quantum prover can
apply only local transformations over some state that may be entangled among provers, which is not enough to
simulate every possible strategy a single quantum prover could take.
Another remark is that, in the classical case, a similar statement to the last corollary was shown by Cai, Con-
don, and Lipton [8] (and a stronger statement was shown later by Feige and Lovasz [12] that two-prover one-round
multi-prover interactive proofs are as powerful as general multi-prover interactive proofs). All these results are,
however, not known to hold under the existence of prior entanglement among provers. Before our result, it has
been open if even PSPACE has a two-prover one-round quantum multi-prover interactive proof system (very re-
cently, Kempe, Kobayashi, Matsumoto, Toner, and Vidick [15] succeeded in proving that the classical two-prover
one-round multi-prover interactive proof system for PSPACE in Ref. [8] is sound in a weak sense against any
pair of dishonest prior-entangled provers that the soundness accepting probablity is bounded away from one by an
inverse-polynomial – their result is incomparable to ours since ours have much stronger soundness condition, but
both a verifier and honest provers must be quantum, while both of them have only to follow classical protocols in
their result).
Finally, it is stressed that our constructions make intensively use of provers’ prior entanglement in a positive
sense. In particular, even if the honest provers in the original proof system do not need any prior entanglement
at all, the honest provers in the constructed proof system do need prior entanglement in many cases. Most of the
properties proved in this paper (Theorem 7 and Corollaries 8, 13, and 15, in particular) are not known to hold when
considering only prior-unentangled honest provers, and thus give first evidence that sharing prior entanglement
may be advantageous even to honest provers.
2 Preliminaries
We assume the reader is familiar with the quantum formalism, including the quantum circuit model and definitions
of mixed quantum states (density operators) and fidelity (all of which are discussed in detail in Refs. [21, 16],
for instance). This section summarizes some of the notions and notations that are used in this paper and reviews
the model of quantum multi-prover interactive proof systems with introducing the notion of public-coin quantum
multi-prover interactive proof systems.
Throughout this paper, let N and Z+ denote the sets of positive and nonnegative integers, respectively. In this
paper, all Hilbert spaces are of dimension power of two.
For any Hilbert space H,D(H) denotes the set of density operators over H. The following property on fidelity
is often used in this paper.
Lemma 1 ([23, 20]). For any ρ, σ, ξ ∈ D(H) , F (ρ, σ)2 + F (σ, ξ )2 ≤ 1 + F (ρ, ξ ).
Polynomial-Time Uniformly Generated Families of Quantum Circuits As in the preceding studies [25, 17,
18], we define quantum interactive proof systems in terms of quantum circuits. In particular, we use the following
notion of polynomial-time uniformly generated families of quantum circuits.A family {Qx} of quantum circuits is polynomial-time uniformly generated if there exists a deterministic pro-
cedure that, on every input x, outputs a description of Qx and runs in time polynomial in |x|. It is assumed that
the circuits in such a family are composed of gates in some reasonable, universal, finite set of quantum gates. Fur-
thermore, it is assumed that the number of gates in any circuit is not more than the length of the description of that
circuit. Therefore Qx must have size polynomial in |x|. For convenience, we may identify a circuit Qx with the
unitary operator it induces.
Since non-unitary and unitary quantum circuits are equivalent in computational power [1], it is sufficient to
treat only unitary quantum circuits, which justifies the above definition. For avoiding unnecessary complication,
4
8/9/2019 1 Round 070907
http://slidepdf.com/reader/full/1-round-070907 6/27
however, the descriptions of procedures often include non-unitary operations in the subsequent sections. Even in
such cases, it is always possible to construct unitary quantum circuits that essentially achieve the same procedures
described.
When proving statements that involve the perfect-completeness property, we assume that our universal gate
set satisfies some conditions, since these perfect-completeness properties may not hold with an arbitrary universal
gate set. Specifically, when claiming these perfect-completeness properties, we assume that the Hadamard trans-
formation and any classical reversible transformations are exactly implementable in our gate set. Note that this
condition is satisfied by most of the standard gate sets including the Shor basis [22] consisting of the Hadamard
gate, the controlled-i-phase-shift gate, and the Toffoli gate, and thus, the authors believe that our condition is not
so restrictive. It is stressed that most of our main statements do hold with an arbitrary choice of the gate set (the
completeness and soundness conditions may become worse by negligible amounts in some of the claims, which
does not affect the final main statements).
Quantum Multi-Prover Interactive Proof Systems Here we review the model of quantum multi-prover interac-
tive proof systems introduced in [18] and introduce the new notion of public-coin quantum multi-prover interactive
proof systems. Although the term “round” is commonly used in classical multi-prover interactive proofs for de-
scribing each set of verifier’s questions and the corresponding provers’ responses, the term “turn” is often used
instead of “round” in this paper. One round consists of two turns: the turn for a verifier and the turn for provers.
Let k be the number of provers. A quantum k-prover interactive proof system consists of (k + 1) parties: a
quantum verifier V and k quantum provers P 1, . . . , P k. Associated with the quantum k -prover interactive proof
system are the Hilbert spaces V , P i, and Mi for 1 ≤ i ≤ k , where V corresponds to the private space of the verifier
V , each P i corresponds to the private space of the ith prover P i, and each Mi corresponds to the space used for
communication between the verifier V and the ith prover P i. Note that no communication is allowed between
different provers. Without loss of generality, it is assumed that P i has same dimension for each i, and so does Mi.
For every input of length n, each space V , P i, and Mi consists of q V (n), q P (n), and q M(n) qubits, respectively,
for some polynomially bounded functions q V , q M : Z+ → N and some function q P : Z+ → N. Accordingly, the
entire system consists of q (n) = q V (n) + k(q M(n) + q P (n)) qubits. Such a system is called (q V , q M, q P )-space-
bounded , and the associated verifier and provers are called (q
V , q
M)-space-bounded and (q
M, q
P )-space-bounded ,
respectively. One of the private qubits of the verifier is designated as the output qubit.Formally, an m-turn (q V , q M)-space-bounded quantum verifier V for quantum k-prover interactive proof
systems is a polynomial-time computable mapping of the form V : {0, 1}∗ → {0, 1}∗. For every n and for
every input x ∈ {0, 1}∗ of length n, V uses at most q V (n) qubits for his private space and at most q M(n)qubits for communication with each prover. The string V (x) is interpreted as a (m(n) + 1)/2-tuple
(V (x)1, . . . , V (x)(m(n)+1)/2), with each V (x) j a description of a polynomial-time uniformly generated quan-
tum circuit acting on q V (n) + kq M(n) qubits.
Similarly, an m-turn (q M, q P )-space-bounded quantum verifier P is a mapping of the form
P : {0, 1}∗ → {0, 1}∗. For every n and for every input x ∈ {0, 1}∗ of length n, P uses at most q P (n) qubits
for his private space and at most q M(n) qubits for communication with the verifier. The string P (x) is interpreted
as a m(n)/2-tuple (P (x)1, . . . , P (x)m(n)/2), with each P (x) j a description of a quantum circuit acting on
q M(n) + q P (n) qubits. No restrictions are placed on the complexity of the mapping P (i.e., each P (x) j can be anarbitrary unitary transformation).
Given an m-turn (q V , q M)-space-bounded quantum verifier V , m-turn (q M, q P )-space-bounded quantum
provers P 1, . . . , P k , and an input x of length n, we define a circuit (V (x), P 1(x), . . . , P k(x)) acting over
V ⊗ M1 ⊗ · · · ⊗ Mk ⊗P 1 ⊗ · · · ⊗ P k of q (n) qubits as follows. If m(n) is odd, circuits P 1(x)1, . . . , P k(x)1,
V (x)1, . . ., P 1(x)(m(n)+1)/2, . . . , P k(x)(m(n)+1)/2, V (x)(m(n)+1)/2 are applied in sequence, each P i(x) j to
Mi ⊗ P i, and each V (x) j to V ⊗ M1 ⊗ · · · ⊗ Mk. If m(n) is even, circuits V (x)1, P 1(x)1, . . . , P k(x)1, . . .,
V (x)m(n)/2, P 1(x)m(n)/2, . . . , P k(x)m(n)/2, V (x)m(n)/2+1 are applied in sequence. Note that the order of applica-
tions of the circuits of the provers at each turn has actually no sense since the space Mi ⊗ P i on which the circuits
5
8/9/2019 1 Round 070907
http://slidepdf.com/reader/full/1-round-070907 7/27
of the ith prover act is separated from each other prover.
At any given instant, the state of the entire system is a unit vector in the space
V ⊗ M1 ⊗ · · · ⊗ Mk ⊗P 1 ⊗ · · · ⊗ P k. At the beginning of the protocol, the system is in the initial state
such that all the qubits in V ⊗ M1 ⊗ · · · ⊗ Mk are in state |0. Note that the provers may prepare any kind
of prior-entanglement in their private spaces. Still it may be assumed with out loss of generality that the initial
state is a pure state, and thus, that the provers initially prepare some pure state |
Φ(x) ∈ P 1 ⊗ · · · ⊗ P k
. This
|Φ(x) is referred to as the prior-shared state of the provers. Thus the legal initial state may be written as
|ψinit(x) = |0⊗(qV (n)+kqM(n))|Φ(x) for some |Φ(x) ∈ P 1 ⊗ · · · ⊗ P k.
Formally, we introduce the notion of state-sharing functions. A state-sharing function Φ for k quantum provers
of (q M, q P )-space-bounded is a mapping of the form Φ : {0, 1}∗ → P 1 ⊗ · · · ⊗ P k, such that, for every n and for
every input x ∈ {0, 1}∗ of length n, Φ(x) is a pure quantum state of kq P (n) qubits in P 1 ⊗ · · · ⊗ P k. In what
follows, Φ(x) will often be denoted by |Φ(x).
For every input x of length n, the probability pacc(x,V,P 1, . . . , P k, Φ) that (V, P 1, . . . , P k) ac-
cepts x is defined to be the probability that an observation of the output qubit in the {|0, |1} ba-
sis yields |1, after the circuit (V (x), P 1(x), . . . , P k(x)) is applied to |ψinit(x) = |0⊗(qV (n)+kqM(n))|Φ(x).
Let Πacc be the projection onto the space consisting of states whose output qubit is in state
|1
, and let P (x) j be the shorthand of P 1(x) j
⊗ · · · ⊗P k(x) j , for 1
≤ j
≤ m(n)/2
. Then,
pacc(x,V,P 1, . . . , P k, Φ) = ΠaccV (x)(m(n)+1)/2 P (x)(m(n)+1)/2 · · · V (x)1 P (x)1|ψinit(x)2 if m(n) is odd, and
pacc(x,V,P 1, . . . , P k, Φ) = ΠaccV (x)m(n)/2+1 P (x)m(n)/2V (x)m(n)/2 · · · P (x)1V (x)1|ψinit(x)2 if m(n) is
even.
Although k, the number of provers, has been treated to be constant so far, the above definition can be naturally
extended to the case that k : Z+ → N is a function of the input length n. In what follows, we treat k as a function.
Note that the number of provers possible to communicate with the verifier must be bounded by a polynomial in n.
Definition 2. Given polynomially bounded functions k, m : Z+ → N and functions c, s : Z+ → [0, 1], a language Lis in QMIP(k,m,c,s) iff there exist polynomially bounded functions q V , q M : Z+ → N and an m-turn (q V , q M)-
space-bounded quantum verifier V for quantum k-prover interactive proof systems such that, for every n and for
every input x of length n:
(Completeness) if x ∈ L, there exist a function q P : Z+ → N, a set of k(n) quantum provers P 1, . . . , P k(n) of
m-turn (q M, q P )-space-bounded, and a state-sharing function Φ for k(n) quantum provers of (q M, q P )-
space-bounded such that (V, P 1, . . . , P k(n)) accepts x with probability at least c(n),
(Soundness) if x ∈ L, for any function q P : Z+ → N, any set of k(n) quantum provers P 1, . . . , P k(n) of m-turn
(q M, q P )-space-bounded, and any state-sharing function Φ for k(n) quantum provers of (q M, q P )-space-
bounded, (V, P 1, . . . , P k(n)) accepts x with probability at most s(n).
Next, we introduce the notions of public-coin quantum verifiers for quantum multi-prover interactive proof
systems and public-coin quantum multi-prover interactive proof systems. These are natural generalizations of
public-coin quantum verifiers and public-coin quantum interactive proof systems in the single-prover case intro-
duced by Marriott and Watrous [19]. Intuitively, a quantum verifier for quantum multi-prover interactive proof systems is public-coin if, at every turn for the verifier, after receiving messages from the provers that are possibly
quantum, he first flips a fair classical coin at most polynomially many times, and then simply broadcasts the result
of these coin-flippings to all the provers. No other messages are sent from the verifier to the provers. At the end of
the protocol, the verifier applies some quantum operation to the messages received so far, and decides acceptance
or rejection.
Formally, an m-turn (q V , q M)-space-bounded quantum verifier V for quantum k-prover interactive proof sys-
tems is public-coin if V has the following properties for every n and for every input x ∈ {0, 1}∗ of length n. At the
jth transformation of V for 1 ≤ j ≤ m(n)/2, V first receives at most q M(n) qubits from each prover, then flips
6
8/9/2019 1 Round 070907
http://slidepdf.com/reader/full/1-round-070907 8/27
a fair classical coin at most q M(n) times to generate a random string r j of length at most q M(n), and broadcasts
r j to all the prover.
An m-turn (q V , q M, q P )-space-bounded quantum multi-prover interactive proof system is public-coin if the
associated m-turn (q V , q M)-space-bounded quantum verifier is public-coin.
3 QMIP with Perfect Completeness Equals General QMIP
For readability, in what follows, the arguments x and n are dropped in the various functions, if it is not confusing.
It is assumed that operators acting on subsystems of a given system are extended to the entire system by tensoring
with the identity, since it will be clear from context upon what part of a system a given operator acts.
This section proves that any quantum k -prover interactive proof system with two-sided bounded error can be
transformed into a quantum k-prover interactive proof system with one-sided bounded error of perfect complete-
ness, for any k.
Theorem 3. Let k, m : Z+ → N be polynomially bounded functions and let c, s : Z+ → [0, 1] be any func-
tions that satisfy c − s ≥ 1 p for some polynomially bounded function p : Z+ → N. Then, for any polynomi-
ally bounded function p : Z+
→ N , there exists another polynomially bounded function m : Z+
→ N such that,
QMIP(k,m,c,s) ⊆ QMIP(k, m, 1, 2− p).
First, we introduce the notion of perfectly rewindable quantum multi-prover interactive proof systems.
Definition 4. Given polynomially bounded functions k, m : Z+ → N and a function s : Z+ → [0, 1] that satisfies
s < 12 , a language L has a perfectly rewindable m-turn quantum k-prover interactive proof system with soundness
accepting probability at most s iff there exist polynomially bounded functions q V , q M : Z+ → N and an m-turn
(q V , q M)-space-bounded quantum verifier V for quantum k-prover interactive proof systems such that, for every nand for every input x of length n:
(Perfect Rewindability) if x ∈ L, there exist a function q P : Z+ → N and a set of k(n) quantum provers
P 1, . . . , P k(n) of m-turn (q
M, q
P )-space-bounded such that the maximum accepting probability is exactly
equal to 12 when V communicates with P 1, . . . , P k(n), where maximum is taken over all possible state-
sharing functions Φ for k(n) quantum provers of (q M, q P )-space-bounded,
(Soundness) if x ∈ L, for any function q P : Z+ → N, any set of k(n) quantum provers P 1, . . . , P k(n) of m-turn
(q M, q P )-space-bounded, and any state-sharing function Φ for k(n) quantum provers of (q M, q P )-space-
bounded, (V, P 1, . . . , P k(n)) accepts x with probability at most s(n).
We first show the way of modifying any general quantum multi-prover interactive proof system (with some
appropriate conditions on completeness and soundness) to a perfectly rewindable one that involves the same number
of provers and the same number of turns. The proof is straightforward and will be found in Appendix A.
Lemma 5. Let k, m : Z
+
→ N be polynomially bounded functions and let c, s :
Z+
→ [0, 1] be any functions that satisfy c ≥ 1
2 > s. Then, any language L in QMIP(k,m,c,s) has a perfectly rewindable m-turn quantum k-prover
interactive proof system with soundness accepting probability at most s.
Now, we are ready to show the following lemma.
Lemma 6. Let k, m : Z+ → N be polynomially bounded functions and let c, s : Z+ → [0, 1] be any functions that
satisfy c ≥ 12 and s < 1
25 . Then, QMIP(k,m,c,s) ⊆ QMIP
k, 3m, 1, 12 + 2√
s + 5s2
.
7
8/9/2019 1 Round 070907
http://slidepdf.com/reader/full/1-round-070907 9/27
We first intuitively sketch the proof idea for Lemma 6. For simplicity, assume that the number of provers is two.
Without loss of generality, our starting protocol is assumed to be perfectly rewindable with soundness accepting
probability being exponentially small (this is easily achieved by sequential repetition and Lemma 5). It is also
assumed that our starting protocol involves 2m turns.
The basic strategy is to use Watrous’s quantum rewinding technique for quantum zero-knowledge in a differ-
ent way — in our case we use it to ”rewind” an unsuccessful computation that would results in rejection into a
successful one.
Let V 1, . . . , V m+1 be the transformations of the verifier V in our starting protocol. First notice that, for any
input in a language, there are sequences of transformations P 1,1, . . . , P 1,m and P 2,1, . . . , P 2,m of the first and second
provers P 1 and P 2 such that, if we optimize a state-sharing function for provers, V accepts the input with probability
exactly 12 , which is the maximum accepting probability when V communicates with these fixed provers P 1 and P 2.
Let us write R j = P 1,j ⊗ P 2,j and U = V m+1RmV m · · · R1V 1 for notational convenience. Then this actually says
that the matrix M = Π initU †ΠaccU Πinit has the maximum eigenvalue exactly 12 , and the corresponding eigenvector
may be of the form |Ψ = |Φ∗ ⊗ |0 · · · 0. Here, Πacc is the projection over the accepting states in the original
protocol, Πinit is the projection over the states in which all the qubits are in state |0 except for those in the private
spaces of provers, and |Φ∗ is the state initially shared by the provers P 1 and P 2 by using the optimal state-sharing
function.
Now we apply the quantum rewinding technique by performing forward, backward, and forward executions
of the protocol in sequence. The perfect completeness property follows from the fact that the initial state |Ψis an eigenvector of M with the corresponding eigenvalue exactly 1
2 The problem of this construction lies in the
soundness. If the input is a no-instance, the maximum eigenvalue is exponentially small for any matrix M resulting
from our starting protocol. This shows that, if dishonest provers are actually “not so dishonest”, i.e., if they use
the same strategies for all of the three (forward, backward, and forward) executions of the starting protocol, the
accepting probability is still exponentially small. However, the problem arises when dishonest provers change their
strategies for some of the three executions. To settle this, we design a simple protocol that tests if the backward
execution is indeed a backward simulation of the first forward exection. The verifier performs the original rewinding
protocol or this invertibility test uniformly at random without revealing which test is undergoing. It is obvious that
the honest provers can always pass this invertibility test, and thus, it does not harm the perfect completeness
property when the input is a yes-instance. When the input is a no-instance, this forces the provers to use essentiallysame strategies for the first two executions of the protocol, which is sufficient to bound the soundness accepting
probability.
Now we give a detailed proof.
Proof of Lemma 6. Let L be a language in QMIP(k,m,c,s). From Lemma 5, L has a perfectly rewindable m-
turn quantum k-prover interactive proof system with soundness accepting probability at most s. Let V be the
corresponding m-turn quantum verifier for the perfectly rewindable quantum k-prover interactive proof system
for L. Let V be the quantum register consisting of all the qubits in the private space of V , and let Mi be that
consisting of all the qubits in the message channel between V and the ithe prover, for 1 ≤ i ≤ k. For every input x,
V applies V j for his j th transformation to the qubits in (V,M1, . . . ,Mk), for 1 ≤ j ≤ m2
+ 1, and performs the
measurement Π = {
Πacc, Πrej
} at the end of the original protocol to decide acceptance of rejection. We construct
a protocol of a 3m-turn quantum verifier W of a new quantum k-prover interactive proof system for L. W will
perform one of the two tests, which we call “R EWINDING TEST” and “INVERTIBILITY TEST”, without revealing
to the provers which test is undergoing. For simplicity, in what follows, it is assumed that m is even (the cases in
which m is odd can be proved in a similar manner).
For every input x, the new verifier W prepares the quantum registers V and Mi, for 1 ≤ i ≤ k. All the qubits
in (V,M1, . . . ,Mk) are initialized to |0.
Using first m turns, W attempts to simulate the original protocol, by applying V j to the qubits in
(V,M1, . . . ,Mk) as his jth transformation and sending Mi to the ith prover, for 1 ≤ i ≤ k and 1 ≤ j ≤ m2 .
8
8/9/2019 1 Round 070907
http://slidepdf.com/reader/full/1-round-070907 10/27
At the (m + 1)-st turn, which is them2 + 1
-st transformation of the verifier, W first chooses b ∈ {0, 1}
uniformly at random. If b = 0, W moves to the REWINDING T EST, while if b = 1, W moves to the INVERTIBILITY
TEST .
When entering the REWINDING TEST , W applies V m2 +1 to the qubits in (V,M1, . . . ,Mk) and then performs
the measurement Π = {Πacc, Πrej}, just as the original verifier V does. If this results in acceptance, W just accepts,
otherwise W continues the protocol for another 2m turns.
Using the next m turns, W attempts a backward simulation of the original protocol by applying V †m2 +2− j to the
qubits in (V,M1, . . . ,Mk) as hism2 + j
-th transformation and sending Mi to the ith prover, for 1 ≤ i ≤ k and
1 ≤ j ≤ m2 .
At the (2m + 1)-st turn, which is the (m + 1)-st transformation of the verifier, W first applies V †1 to the qubits
in (V,M1, . . . ,Mk). Next W performs a controlled-phase-flip controlled by the qubits in (V,M1, . . . ,Mk): W multiplies the phase by −1 if all the qubits in (V,M1, . . . ,Mk) are in state |0. W then applies V 1 to the qubits in
(V,M1, . . . ,Mk), and sends Mi to the ith prover, for 1 ≤ i ≤ k.
Finally, using the last (m − 1) turns, W attempts a forward simulation of the original protocol by applying V jto the qubits in (V,M1, . . . ,Mk) as his (m + j)-th transformation and sending Mi to the ith prover, for 1 ≤ i ≤ kand 2 ≤ j ≤ m
2 . At the last transformation of the verifier, W applies V m2 +1 to the qubits in (V,M1, . . . ,Mk), and
then performs the measurement Π = {Πacc, Πrej}. W accepts if this results in acceptance, and rejects otherwise.On the other hand, when entering the INVERTIBILITY TEST , W immediately starts a backward simulation of
the original protocol without performing the measurement Π = {Πacc, Πrej}. W applies V †m2 +2− j to the qubits in
(V,M1, . . . ,Mk) as hism2 + j
-th transformation and sending Mi to the ith prover, for 1 ≤ i ≤ k and 1 ≤ j ≤ m
2 .
At the (2m + 1)-st turn, which is the (m + 1)-st transformation of the verifier, W first applies V †1 to the qubits
in (V,M1, . . . ,Mk). W accepts if all the qubits in (V,M1, . . . ,Mk) are in state |0, and rejects otherwise.
The precise description of the protocol of W is described in Figure 1.
For the completeness, suppose that the input x is in L.
Let P i be the m-turn honest ith quantum prover for the original perfect rewindable proof system, and let Pibe the quantum register consisting of all the qubits in the private space of P i, for 1 ≤ i ≤ k. Let P i,j be the j th
transformation of the original ith prover P i on input x in the original protocol, for 1 ≤ i ≤ k and 1 ≤ j ≤ m2 . Let
Φ∗ be any optimal state-sharing function for k quantum provers such that the state |Φ∗(x) in (P1, . . . ,Pk) sharedby the provers P 1, . . . , P k maximizes the accepting probability of V when communicating with these specific
provers P 1, . . . , P k . Note that the accepting probability is exactly equal to 12 when V communicates with the
provers P 1, . . . , P k who initially share |Φ∗(x). In what follows, we write |Φ∗ in short to denote |Φ∗(x).
Let Ri be the honest ith quantum prover in the constructed 3m-turn system, for 1 ≤ i ≤ k. Ri prepares the
quantum register Pi in his private space for 1 ≤ i ≤ k. R1, . . . , Rk initially share |Φ∗ in (P1, . . . ,Pk). At the
jth transformation of the provers for 1 ≤ j ≤ m2 , each Ri applies P i,j to the qubits in (Mi,Pi), for 1 ≤ i ≤ k. At
them2 + j
-th transformation of the provers for 1 ≤ j ≤ m
2 , each Ri applies P †i,m
2 − j+1 to the qubits in (Mi,Pi),
for 1 ≤ i ≤ k. Finally, at the (m + j)-th transformation of the provers for 1 ≤ j ≤ m2 , each Ri applies P i,j to the
qubits in (Mi,Pi), for 1 ≤ i ≤ k .
It is obvious from this construction that the provers R1, . . . , Rk can convince W with certainty when W per-
forms the INVERTIBILITY T EST. We show that R1, . . . , Rk can convince W with certainty even when W performsthe REWINDING TEST . Shortly speaking, this holds for essentially the same reason that the quantum rewinding
technique works well in the case of quantum zero-knowledge proofs.
For notational covenience, let P j = P 1,j ⊗ · · · ⊗ P k,j for 1 ≤ j ≤ m2 , and let Q = V m
2 +1 P m
2V m
2
· · · P 1V 1.
Then the perfect rewindability property of the original proof system essentially implies that the maximum eigen-
value of the Hermitian matrix M = ΠinitQ†ΠaccQΠinit is exactly equal to 12 and |Ψ∗ = |0V⊗M1⊗···⊗Mk
|Φ∗ is
an eigenvector of M corresponding to the eigenvalue 12 , where Πinit is the projection onto states in which all the
qubits in (V,M1, . . . ,Mk) are in state |0, and V and each Mi are the Hilbert spaces corresponding to the registers
9
8/9/2019 1 Round 070907
http://slidepdf.com/reader/full/1-round-070907 11/27
Verifier’s Protocol for Achieving Perfect Completeness
1. Prepare quantum registers V and Mi, for 1 ≤ i ≤ k. Initialize all the qubits in V and Mi in state |0, for
1 ≤ i ≤ k. Apply V 1 to the qubits in (V,M1, . . . ,Mk), and send Mi to the ith prover, for 1 ≤ i ≤ k.
2. For j = 2 to m2 , do the following:
Receive Mi from the ith prover, for 1 ≤ i ≤ k. Apply V j to the qubits in (V,M1, . . . ,Mk), and send Mi to
the ith prover, for 1 ≤ i ≤ k.
3. Receive Mi from the ith prover, for 1 ≤ i ≤ k. Choose b ∈ {0, 1} uniformly at random. If b = 0, move to
the REWINDING TEST described in Step 4, while if b = 1, move to the INVERTIBILITY TEST described in
Step 5, and do not reveal to the provers which test is undergoing.
4. (REWINDING TEST)
If b = 0, do the following:
4.1 Apply V m2 +1 to the qubits in (V,M1, . . . ,Mk). Accept if the content of (V,M1, . . . ,Mk) corresponds
to an accepting state in the original protocol. Otherwise apply V †m2 +1 to the qubits in (V,M1, . . . ,Mk),
and send Mi to the ith prover, for 1 ≤ i ≤ k.
4.2 For j = m2 down to 2, do the following:
Receive Mi from the ith prover, for 1 ≤ i ≤ k. Apply V † j to the qubits in (V,M1, . . . ,Mk), and send
Mi to the ith prover, for 1 ≤ i ≤ k.
4.3 Receive Mi from the ith prover, for 1 ≤ i ≤ k. Apply V †1 to the qubits in (V,M1, . . . ,Mk). Per-
form the phase-flip if all the qubits in (V,M1, . . . ,Mk) are in state |0. Apply V 1 to the qubits in
(V,M1, . . . ,Mk), and send Mi to the ith prover, for 1 ≤ i ≤ k.
4.4 For j = 2 to m2 , do the following:
Receive Mi from the ith prover, for 1 ≤
i ≤
k. Apply V j to the qubits in (V,M1, . . . ,Mk), and send
Mi to the ith prover, for 1 ≤ i ≤ k.
4.5 Receive Mi from the ith prover, for 1 ≤ i ≤ k. Apply V m2 +1 to the qubits in (V,M1, . . . ,Mk). Accept
if the content of (V,M1, . . . ,Mk) corresponds to an accepting state in the original protocol, and reject
otherwise.
5. (INVERTIBILITY TEST)
If b = 1, do the following:
5.1 Send Mi to the ith prover, for 1 ≤ i ≤ k.
5.2 For j = m2 down to 2, do the following:
Receive Mi from the ith prover, for 1
≤ i ≤
k. Apply V † j
to the qubits in (V,M1
, . . . ,Mk
), and send
Mi to the ith prover, for 1 ≤ i ≤ k.
5.3 Receive Mi from the ith prover, for 1 ≤ i ≤ k. Apply V †1 to the qubits in (V,M1, . . . ,Mk). Accept if
all the qubits in (V,M1, . . . ,Mk) are in state |0, and reject otherwise.
Figure 1: Verifier’s protocol for achieving perfect completeness
10
8/9/2019 1 Round 070907
http://slidepdf.com/reader/full/1-round-070907 12/27
V and Mi, respectively, for each 1 ≤ i ≤ k.
Define the unnormalized states |φ0, |φ1, |ψ0, and |ψ1 by
|φ0 = ΠaccQ|Ψ∗, |φ1 = ΠrejQ|Ψ∗, |ψ0 = ΠinitQ†|φ0, |ψ1 = ΠillegalQ†|φ0,
where Πillegal = I
V⊗M1
⊗···⊗Mk
−Πinit is the projection onto states orthogonal to
|0
V⊗M1
⊗···⊗Mk
.
Then, noticing that |Ψ∗ = Πinit|Ψ∗, we have
|ψ0 = ΠinitQ†ΠaccQ|Ψ∗ = ΠinitQ†ΠaccQΠinit|Ψ∗ = M |Ψ∗ = 1
2|Ψ∗,
and thus,
Q†|φ1 = Q†(I V⊗M1⊗···⊗Mk − Πacc)Q|Ψ∗ = |Ψ∗ − Q†|φ0 = 2|ψ0 − (|ψ0 + |ψ1) = |ψ0 − |ψ1.
Hence, the state just before the controlled-phase-flip in Step 4.3 when entering the R EWINDING T EST is exactly
1
|φ1
Q†|φ1 = 1
|φ1
(|ψ0 − |ψ1).
Since Πinit|ψ0 = |ψ0 and Πinit|ψ1 = 0, the controlled-phase-flip changes the state to
− 1
|φ1(|ψ0 + |ψ1) = − 1
|φ1Q†|φ0.
Therefore, the state just after V m2 +1 is applied in Step 4.5 is exactly
− 1
|φ1QQ†|φ0 = − 1
|φ1|φ0,
and thus, the fact that Πacc|φ0 = |φ0 implies that the verifier W always accepts in Step 4.5.
Hence the provers R1, . . . , Rk can convince W with certainty even when W performs the REWINDING T EST,
and the perfect completeness property follows.
Now for the soundness, suppose that the input x is not in L.
Let Ri be any 3m-turn ith quantum prover for the constructed proof system, and let Pi be the quantum register
consisting of all the qubits in the private space of Ri, for 1 ≤ i ≤ k. Let ψ be any state-sharing function for k quan-
tum provers so that the state |ψ(x) in (P1, . . . ,Pk) is initially shared by the provers R1, . . . , R
k. In what follows,
we write |ψ in short to denote |ψ(x). Suppose that, at the jth transformation of the provers for 1 ≤ t ≤ 3m2 , each
Ri applies X i,j to the qubits in (Mi,P
i).
Let Z denote the controlled-phase-flip operator controlled by the qubits in (V,M1, . . . ,Mk) that multiplies the
phase by −1 if all the qubits in (V,M1, . . . ,Mk) are in state |0.
For notational convenience, let X j = X 1,j ⊗ · · · ⊗ X k,j for 1 ≤ t ≤ 3m2 , let
U 1 = X m2 V m2 · · · X 2V 2 X 1V 1,
U 2 = V †1 X m · · · V †m2 −1
X m2 +2V †m
2
X m2 +1,
U 3 = X 3m2
V m2
· · · X m+2V 2 X m+1V 1.
There are three cases of acceptance in the constructed protocol.
In the first case, the verifier W performs the REWINDING TEST and accepts in Step 4.1. This propability of
acceptance is given by p12 , where
p1 = ΠaccV m2 +1U 1|ψ2.
11
8/9/2019 1 Round 070907
http://slidepdf.com/reader/full/1-round-070907 13/27
In the second case, the verifier W performs the REWINDING T EST and accepts in Step 4.5. This propability of
acceptance is given by p22 , where
p2 = ΠaccV m2 +1U 3ZU 2V †m
2 +1ΠrejV m
2 +1U 1|ψ2.
Finally, in the third case, the verifier W performs the INVERTIBILITY TEST and accepts in Step 5.3. This
propability of acceptance is given by p32 , where
p3 = ΠinitU 2U 1|ψ2.
Then the probability pacc that W accepts x when communicating with R1, . . . , R
k is given by
pacc = 12( p1 + p2 + p3). From the soundness condition of the original protocol, it is obvious that p1 ≤ s. We
shall show that p2 ≤ 1 + 4√
s + 4s − p3. This implies that pacc ≤ 12 + 2
√ s + 5s
2 , and the soundness condition
follows.
Using the triangle inequality, we have that
ΠaccV m2 +1U 3ZU 2V †m
2 +1ΠrejV m
2 +1U 1|ψ
≤ ΠaccV m2 +1U 3ZU 2V †m
2 +1ΠrejV m
2 +1U 1|ψ − ΠaccV m
2 +1U 3ZU 2U 1|ψ
+ ΠaccV m2 +1U 3ZU 2U 1|ψ − ΠaccV m
2 +1U 3Z ΠinitU 2U 1|ψ
+ ΠaccV m2 +1U 3Z ΠinitU 2U 1|ψ. (1)
The first term of Eq. (1) can be bounded from above as follows:
ΠaccV m2 +1U 3ZU 2V †m
2 +1ΠrejV m
2 +1U 1|ψ − ΠaccV m
2 +1U 3ZU 2U 1|ψ
≤ V m2 +1U 3ZU 2V †m
2 +1ΠrejV m
2 +1U 1|ψ − V m
2 +1U 3ZU 2U 1|ψ
= V †m2 +1ΠrejV m
2 +1U 1|ψ − U 1|ψ = ΠrejV m
2 +1U 1|ψ − V m
2 +1U 1|ψ
= − ΠaccV m2 +1U 1|ψ = ΠaccV m
2 +1U 1|ψ =
√ p1 ≤
√ s.
The second term of Eq. (1) can be bounded from above as follows:
ΠaccV m2 +1U 3ZU 2U 1|ψ − ΠaccV m
2 +1U 3Z ΠinitU 2U 1|ψ
≤ V m2 +1U 3ZU 2U 1|ψ − V m
2 +1U 3Z ΠinitU 2U 1|ψ
= U 2U 1|ψ − ΠinitU 2U 1|ψ = ΠillegalU 2U 1|ψ =
1 − p3.
Here the last equality comes from the facts that U 2U 1|ψ = ΠinitU 2U 1|ψ + ΠillegalU 2U 1|ψ is a unit vector, that
ΠinitU 2U 1|ψ and ΠillegalU 2U 1|ψ are orthogonal, and that ΠinitU 2U 1|ψ2 = p3.
Finally, since ΠinitU 2U 1|ψ is an unnormalized state parallel to some legal initial state and Z Πinit = −Πinit
from the definitions of Z and Πinit, the third term of Eq. (1) can be bounded as follows by using the soundness
condition of the original protocol:
ΠaccV m2 +1U 3Z ΠinitU 2U 1|ψ = − ΠaccV m2 +1U 3ΠinitU 2U 1|ψ = ΠaccV m2 +1U 3ΠinitU 2U 1|ψ ≤ √ s.
Putting things together, we have
p2 = ΠaccV m2 +1U 3ZU 2V †m
2 +1ΠrejV m
2 +1U 1|ψ2
≤ (2√
s +
1 − p3)2 = 1 + 4
s(1 − p3) + 4s − p3 ≤ 1 + 4√
s + 4s − p3,
as desired.
From Lemma 6, it is immediate to show Theorem 3 by appropriately applying sequential repetitions.
12
8/9/2019 1 Round 070907
http://slidepdf.com/reader/full/1-round-070907 14/27
4 Parallelization of Quantum Multi-Prover Interactive Proof Systems
This section proves that any quantum k-prover interactive proof system that involves polynomially many turns can
be parallelized to one that involves only one round (i.e., two turns) by just adding one more prover, in which the
gap between completeness and soundness accepting probabilities is still bounded by an inverse-polynomial.
Theorem 7. Let k, m : Z+ → N be polynomially bounded functions and let c, s : Z+ → [0, 1] be any functions that satisfy c − s ≥ 1
p for some polynomially bounded function p : Z+ → N. Then, there exists another polynomially
bounded function p : Z+ → N such that QMIP(k,m,c,s) ⊆ QMIP
k + 1, 2, 1, 1 − 1 p
.
It is easy to see that we can amplify the success probability without increasing the number of rounds (turns)
by running multiple attempts of a protocol in parallel using a different set of provers for every attempt. Hence,
Theorem 7 implies that one-round quantum multi-prover interactive proofs are as powerful as general quantum
multi-prover interactive proofs.
Corollary 8. Let k, m : Z+ → N be polynomially bounded functions and let c, s : Z+ → [0, 1] be any func-
tions that satisfy c − s ≥ 1 p for some polynomially bounded function p : Z+ → N. Then, for any polynomi-
ally bounded function p : Z
+
→ N , there exists another polynomially bounded function k :
Z+
→ N such that
QMIP(k,m,c,s) ⊆ QMIP(k, 2, 1, 2− p).
The proof of Theorem 7 basically consists of three parts.
The first part is a pre-processing that converts any quantum k-prover interactive proof system with two-sided
bounded error into a quantum k-prover interactive proof system with one-sided bounded error of perfect complete-
ness, which has already been proved in the previous section.
The second part proves that any (2l + 1)-turn quantum k-prover interactive proof system with two-sided
bounded error can be converted into a (2l−1 + 1)-turn quantum k-prover interactive proof system with two-sided
bounded error, in which the gap between the completeness and soundness accepting probabilities decreases, but
is still bounded by an inverse-polynomial if the gap in the original proof system is sufficiently large. By repeat-
edly applying this modification together with appropriate use of sequential repetition as a preprocessing, we can
convert any m-turn quantum k-prover interactive proof system into a three-turn quantum k-prover interactive proof system in which the gap between the completeness and soundness accepting probabilities is bounded by an inverse-
polynomial. If k = 1, this gives a simpler proof of the parallelization theorem due to Kitaev and Watrous [17] for
single-prover quantum interactive proofs.
Now the third part proves that any three-turn quantum k-prover interactive proof system with sufficiently large
gap between the completeness and soundness accepting probabilities can be converted into a two-turn quantum
(k + 1)-prover interactive proof system, in which the gap between the completeness and soundness accepting
probabilities is bounded by an inverse-polynomial. Although there is a direct proof for this as will be shown
in Appendix C, we will take a detour by proving (i) any three-turn quantum k-prover interactive proof system
with sufficiently large gap between the completeness and soundness accepting probabilities can be modified to a
three-turn public-coin quantum k-prover interactive proof system in which the gap between the completeness and
soundness accepting probabilities is bounded by an inverse-polynomial, and (ii) any three-turn public-coin quantumk-prover interactive proof system can be converted into a two-turn quantum (k + 1)-prover interactive proof system
without changing the completeness and soundness accepting probabilities. It follows from the property (i) that, for
any polynomially bounded k, public-coin quantum k-prover interactive proofs are as powerful as general quantum
k-prover interactive proofs. The property (ii) for the case k = 1 shows that any language in QIP, in particular in
PSPACE, has a two-prover one-round (i.e., two-turn) quantum interactive proof system of perfect completeness
with exponentially small error in soundness. Notice that the direct proof also shows a bit weaker claim that any
language in QIP has a two-prover one-round quantum interactive proof system of perfect completeness, but the
soundness accepting probability is bounded only by exponentially close to 12 . This is indeed weaker than what we
13
8/9/2019 1 Round 070907
http://slidepdf.com/reader/full/1-round-070907 15/27
can show with the detour, since it is not known how to amplify the success probability of quantum multi-prover
interactive proofs without increasing either the number of provers or the number of turns.
4.1 Parallelizing to Three Turns
This subsection shows the first part of the proof of Theorem 7. We first show the following lemma, which states
that any (2l + 1)-turn quantum k-prover interactive proof system with sufficiently small two-sided bounded error
can be converted into a (2l−1 + 1)-turn quantum k-prover interactive proof system with two-sided bounded error.
The idea is that the verifier first receives the snapshot state after the (2l−1 + 1)-st turn of the original system, and
then executes a forward-simulation of the original system from the (2l−1 + 1)-st turn with probability 12 and a
backward-simulation of the original system from the (2l−1 + 1)-st turn with probability 12 .
Lemma 9. Let k : Z+ → N be a polynomially bounded function, let l : Z+ → N be a function such that 4 ≤ 2l ≤ p for some polynomially bounded function p : Z+ → N , and let ε, δ : Z+ → [0, 1] be any functions that satisfy
δ > 1 − (1 − ε)2. Then, QMIP(k, 2l + 1, 1 − ε, 1 − δ ) ⊆ QMIP
k, 2l−1 + 1, 1 − ε2 , 12 +
√ 1−δ2
.
Proof. Let L be a language in QMIP(k, 2l + 1, 1 − ε, 1 − δ ) and let V be the corresponding (2l + 1)-turn quantum
verifier for the quantum k-prover interactive proof system for L. Let V be the quantum register consisting of allthe qubits in the private space of V , and let Mi be that consisting of all the qubits in the message channel between
V and the ithe prover, for 1 ≤ i ≤ k. For every input x, V applies V j for his j th transformation on the qubits in
(V,M1, . . . ,Mk), for 1 ≤ j ≤ 2l−1 + 1, and performs the measurement Π = {Πacc, Πrej} at the end of the original
protocol to decide acceptance of rejection. We construct a protocol of a (2l−1 + 1)-turn quantum verifier W of the
new quantum k-prover interactive proof system for L.
For every input x, at the first turn the new verifier W receives quantum registers V and Mi for 1 ≤ i ≤ k, where
V is sent from the first prover and each Mi is sent from the ith prover. W expects that the qubits in (V,M1, . . . ,Mk)form the quantum state the original (2l + 1)-turn verifier V would possess just after the (2l−1 + 1)-st turn (i.e., just
after the (2l−2 + 1)-st transformations of the provers) of the original protocol.
Now W chooses b ∈ {0, 1} uniformly at random. If b = 0, W starts a forward-simulation of the original proof
system from the (2l−1 + 1)-st turn, and W accepts if and only if the simulation results in acceptance in the original
proof system. On the other hand, if b = 1, W starts a backward-simulation of the original proof system from the
(2l−1 + 1)-st turn, and W accepts if and only if all the qubits in V are in state |0 after the simulation (here recall
that 2l + 1 is odd, and thus the first turn is done by provers in the original proof system). Thus the constructed
system has 2l−1 + 1 turns.
The precise description of the protocol of W is found in Figure 2.
First suppose that the input x is in L.
Let P i be the (2l + 1)-turn honest quantum prover for the original proof system, and let Pi be the quantum reg-
ister consisting of all the qubits in the private space of P i, for 1 ≤ i ≤ k. Let |Φ be a quantum state in (P1, . . . ,Pk)such that, if P 1, . . . , P k initially share |Φ, they can convince V with probability at least 1 − ε in the original proof
system. Let |ψ2l−1+1 be the quantum state in (V,M1, . . . ,Mk,P1, . . . ,Pk) just after the (2l−1 + 1)-st turn (i.e.,
just after the (2l−2 + 1)-st transformations of the provers) of the original protocol if V communicates with the
provers P 1, . . . , P k who initially share |Φ in their private spaces.
Let Ri be the honest ith prover in the constructed (2l−1 + 1)-turn system, for 1 ≤ i ≤ k. In addition to the
registers V and M1, R1 prepares the quantum register P1 in his private space. Similarly, in addition to Mi,
Ri prepares the quantum register Pi in his private space for 2 ≤ i ≤ k. R1, . . . , Rk initially share |ψ2l−1+1 in
(V,M1, . . . ,Mk,P1, . . . ,Pk). At the first turn of the constructed protocol, R1 sends V and M1 to W , while each
Ri, 2 ≤ i ≤ k, sends Mi to W .If b = 0, at the tth transformation of the provers for 2 ≤ t ≤ 2l−2 + 1, each Ri applies P i,2l−2+t to the qubits in
(Mi,Pi), while if b = 1, at the tth transformation of the provers for 2 ≤ t ≤ 2l−2 + 1, each Ri applies P †i,2l−2−t+3
14
8/9/2019 1 Round 070907
http://slidepdf.com/reader/full/1-round-070907 16/27
Verifier’s Protocol to Reduce the Number of Turns by Half
1. Receive quantum registers V from the first prover and Mi from the ith prover for 1 ≤ i ≤ k.
2. Choose b ∈ {0, 1} uniformly at random.
3. If b = 0, execute a forward-simulation of the original protocol as follows:
3.1 Apply V 2l−2+1 to the qubits in (V,M1, . . . ,Mk). Send b and the qubits in Mi to the ith prover, for
1 ≤ i ≤ k.
3.2 For j = 2l−2 + 2 to 2l−1, do the following:
Receive a quantum register Mi from the ith prover, for 1 ≤ i ≤ k. Apply V j to the qubits in
(V,M1, . . . ,Mk). Send the qubits in Mi to the ith prover, for 1 ≤ i ≤ k.
3.3 Receive a quantum register Mi from the ith prover, for 1 ≤ i ≤ k. Apply V 2l−1+1 to the qubits in
(V,M1, . . . ,Mk). Accept if the content of (V,M1, . . . ,Mk) is an accepting state of the original proto-
col, and reject otherwise.
4. If b = 1, execute a backward-simulation of the original protocol as follows:
4.1 Send b and the qubits in Mi to the ith prover, for 1 ≤ i ≤ k.
4.2 For j = 2l−2 down to 2, do the following:
Receive a quantum register Mi from the ith prover, for 1 ≤ i ≤ k. Apply V † j to the qubits in
(V,M1, . . . ,Mk). Send the qubits in Mi to the ith prover, for 1 ≤ i ≤ k.
4.3 Receive a quantum register Mi from the ith prover, for 1 ≤ i ≤ k. Apply V †1 to the qubits in
(V,M1, . . . ,Mk). Accept if all the qubits in V are in state |0, and reject otherwise.
Figure 2: Verifier’s protocol to reduce the number of turns by half.
15
8/9/2019 1 Round 070907
http://slidepdf.com/reader/full/1-round-070907 17/27
to the qubits in (Mi,Pi), for 1 ≤ i ≤ k, where each P i,j is the j th transformation of the original ith prover P i on
input x in the original protocol, for 1 ≤ j ≤ 2l−1 + 1.
It is obvious that the provers R1, . . . , Rk can convince W with probability at least 1 − ε if b = 0, and with
certainty if b = 1. Hence, W accepts every input x ∈ L with probability at least 1 − ε2 .
Now suppose that the input x is not in L.
Let Ri be any (2l
−1 + 1)-turn ith quantum prover for the constructed proof system, for 1
≤ i ≤
k. Let |
ψ
be
an arbitrary quantum state that represents the state just after the first transformations of the provers R1, . . . , R
k in
the constructed system. Suppose that, at the tth transformation of the provers for 2 ≤ t ≤ 2l−2 + 1, each Ri applies
X i,t if b = 0 and Y i,t if b = 1, for 1 ≤ i ≤ k and write X t = X 1,t ⊗ · · · ⊗ X k,t and Y t = Y 1,t ⊗ · · · ⊗ Y k,t.
Define unitary transformations U 0 and U 1 by U 0 = V 2l−1+1 X 2l−2+1V 2l−1 · · · X 2V 2l−2+1 and
U 1 = V †1 Y 2l−2+1 · · · V †2l−2
Y 2, and let |α = 1ΠaccU 0|ψΠaccU 0|ψ and |β = 1
ΠinitU 1|ψΠinitU 1|ψ, where
Πacc is the projection onto accepting states in the original protocol and Πinit is the projection onto states in which
all the qubits in V are in state |0.
Then we have
ΠaccU 0|ψ = 1
ΠaccU 0
|ψ
ψ|U †0ΠaccU 0|ψ
= F
|αα|, U 0|ψψ|U †0
= F
U †0 |αα|U 0, |ψψ|
,
and thus, the probability p0 of acceptance when b = 0 is given by p0 = F
U †0 |αα|U 0, |ψψ|2. Similarly, the
probability p1 of acceptance when b = 1 is given by p1 = F
U †1 |β β |U 1, |ψψ|2. Hence the probability paccthat W accepts x when communicating with R
1, . . . , Rk is given by
pacc = 1
2( p0 + p1) =
1
2
F
U †0 |αα|U 0, |ψψ|2 + F
U †1 |β β |U 1, |ψψ|2.
Therefore, from Lemma 1, we have
pacc ≤ 1
2
1 + F
U †0 |αα|U 0, U †1 |β β |U 1
=
1
2
1 + F
|αα|, U 0U †1 |β β |U 1U †0
.
Noticing that Πinit|β = |β , |β is a legal quantum state just after the first transformations of the provers inthe original protocol. Hence, from the property of the original protocol,ΠaccU 0U †1 |β 2 =
ΠaccV 2l−1+1 X 2l−2+1V 2l−1 · · · X 2V 2l−2+1
Y †2 V 2l−2 · · · Y †2l−2+1
V 1|β 2 ≤ 1 − δ,
since V 1, Y †2l−2+1
, · · · , V 2l−2 , Y †2 , V 2l−2+1, X 2, · · · , V 2l−1 , X 2l−2+1, V 2l−1+1 form a legal sequence of transforma-
tions in the original protocol.
Now, from the fact that Πacc|α = |α, we have
F |αα|, U 0U †1 |β β |U 1U †0
=
α|U 0U †1 |β = α|ΠaccU 0U †1 |β ≤ ΠaccU 0U †1 |β ≤√
1 − δ.
Hence the probability pacc that W accepts x is bounded by pacc ≤ 1
2 +
√ 1
−δ
2 , which completes the proof.
Now, by repeatedly applying the modification in the proof of Lemma 9, we have the following theorem. The
proof is mostly straightforward, but involves a careful analysis of the efficiency of the modification in the proof of
Lemma 9, since the modification is repeatedly applied logarithmically many times.
Theorem 10. Let k, m : Z+ → N be polynomially bounded functions and let ε, δ : Z+ → [0, 1] be any functions
such that m ≥ 4 and δ > 2(m − 1)ε. Then, QMIP(k,m, 1 − ε, 1 − δ ) ⊆ QMIP
k, 3, 1 − 2εm−1 , 1 − δ
(m−1)2
.
16
8/9/2019 1 Round 070907
http://slidepdf.com/reader/full/1-round-070907 18/27
Proof. Let l : Z+ → N be a function such that 2l + 1 ≤ m ≤ 2l+1 + 1.
It is trivial that QMIP(k,m, 1 − ε, 1 − δ ) ⊆ QMIP(k, 2l+1 + 1, 1 − ε, 1 − δ ), and we show that
QMIP(k, 2l+1 + 1, 1 − ε, 1 − δ ) ⊆ QMIP
k, 3, 1 − 2εm−1 , 1 − δ
(m−1)2
.
Consider a language in QMIP(k, 2l+1 + 1, 1 − ε, 1 − δ ) and let V (0) be the corresponding (2l+1 + 1)-turn
quantum verifier for quantum k-prover interactive proof systems.
For every x, given a description of V (0)(x), one can compute in time polynomial in |x| a description V (1)(x) of a (2l + 1)-turn quantum verifier V (1) for quantum k-prover interactive proof systems by applying the modification
in the proof of Lemma 9. The resulting proof system has completeness accepting probability at least 1 − ε2 and the
soundness accepting probability at most 12 +√ 1−δ2 ≤ 1 − δ
4 . Furthermore, the description of V (1)(x) may be at
most some constant times the size of V (0)(x) plus an amount bounded by a polynomial in |x|.Now, for every x, it is obvious that, given a description of V (0)(x), one can compute in time polynomial
in |x| a description V (l)(x) of a three-turn quantum verifier V (l) for quantum k-prover interactive proof sys-
tems by repeatedly applying the modification in the proof of Lemma 9 l times. The resulting proof system has
completeness accepting probability at least 1 − ε2l ≥ 1 − 2ε
m−1 and the soundness accepting probability at most
1 − δ4l ≤ 1 − δ
(m−1)2, as desired.
From Theorems 3 and 10, it is immediate to show the following theorem.
Theorem 11. Let k, m : Z+ → N be polynomially bounded functions and let c, s : Z+ → [0, 1] be any functions
that satisfy c − s ≥ 1 p for some polynomially bounded function p : Z+ → N. Then, there exists another polynomi-
ally bounded function p : Z+ → N such that QMIP(k,m,c,s) ⊆ QMIP
k, 3, 1, 1 − 1 p
.
Proof. From Theorem 3, we have that, for any polynomially bounded function p : Z+ → N, there exists some
polynomially bounded function m : Z+ → N such that QMIP(k,m,c,s) ⊆ QMIP(k, m, 1, 2− p). Now Theo-
rem 10 implies that QMIP(k, m, 1, 2− p) ⊆ QMIP
k, 3, 1, 1 − 1−2−p
(m−1)2
. Since 1−2−p
(m−1)2 ≥ 1
p for some polyno-
mially bounded function p : Z+ → N, the claim follows.
4.2 Converting to Public-Coin Systems
Now we move to the second part of the proof of Theorem 7. We first show that any three-turn quantum k-prover
interactive proof system with sufficiently large gap between the completeness and soundness accepting probabilities
can be modified to a three-turn public-coin quantum k-prover interactive proof system in which the gap between
the completeness and soundness accepting probabilities is bounded by an inverse-polynomial. In the single-prover
case, Marriott and Watrous [19] proved a similar statement that any three-message quantum interactive proof system
can be modified to a three-message public-coin one. The proof is a modification of this to the multi-prover case
and will be found in Appendix B.
Theorem 12. Let k : Z+ → N be a polynomially bounded function, and let ε, δ : Z+ → [0, 1] be any functions that
satisfy δ > 1
−(1
−ε)2. Then, any language having a three-turn quantum k-prover interactive proof system with
completeness accepting probability at least 1 − ε and soundness accepting probability at most 1 − δ has a three-turn public-coin quantum k-prover interactive proof system with completeness accepting probability at least 1 − ε
2
and soundness accepting probability at most 12 +√ 1−δ2 . Moreover, the message from the verifier to each prover in
the public-coin system consists of only one classical bit.
From Theorems 11 and 12 together with sequential repetition, we have the following corollary, which states the
equivalence of public-coin quantum k-prover interactive proofs and general quantum k-prover interactive proofs,
for any k.
17
8/9/2019 1 Round 070907
http://slidepdf.com/reader/full/1-round-070907 19/27
Corollary 13. Let k, m : Z+ → N be polynomially bounded functions and let c, s : Z+ → [0, 1] be any functions
that satisfy c − s ≥ 1 p for some polynomially bounded function p : Z+ → N. Then, for any polynomially bounded
function p : Z+ → N , there exists another polynomially bounded function m : Z+ → N such that any language
in QMIP(k,m,c,s) necessarily has an m-turn public-coin quantum k-prover interactive proof system of perfect
completeness with soundness accepting probability at most 2− p .
Proof. Theorem 11 implies that there exists a polynomially bounded function p : Z+ → N, such
that QMIP(k,m,c,s) ⊆ QMIP
k, 3, 1, 1 − 1 p
. Now Theorem 12 implies that any language in
QMIP
k, 3, 1, 1 − 1 p
has a three-turn public-coin quantum k-prover interactive proof system of perfect com-
pleteness with soundness accepting probability at most 12 + 12
1 − 1
p ≤ 1 − 14 p . Finally, sequential repetition
shows that, for any polynomially bounded function p : Z+ → N, there exists some polynomially bounded function
m : Z+ → N such that such a three-turn public-coin quantum k-prover interactive proof system can be converted
to an m-turn public-coin quantum k -prover interactive proof system of perfect completeness with soundness ac-
cepting probability at most 2− p.
4.3 Parallelizing to Two TurnsFinally, we prove that any three-turn public-coin quantum k-prover interactive proof system can be converted into
a two-turn (i.e., one-round) quantum (k + 1)-prover interactive proof system without changing completeness and
soundness conditions. The idea of the proof is to send questions only to the first k provers to request the original
second messages from the k provers in the original system and to receive from the (k + 1)-st prover the original
first messages from the k provers in the original system without asking any question.
Theorem 14. Let k : Z+ → N be a polynomially bounded function, and let c, s : Z+ → [0, 1] be any functions
that satisfy c > s. Then, any language having a three-turn public-coin quantum k-prover interactive proof
system with completeness accepting probability at least c and soundness accepting probability at most s is in
QMIP(k + 1, 2, c , s).
Proof. Let L be a language having a three-turn public-coin quantum k-prover interactive proof system with com-pleteness accepting probability at least c and soundness accepting probability at most s, and let V be the corre-
sponding three-turn public-coin quantum verifier for quantum k-prover interactive proof systems. For every input
x, at the first turn, V first receives a quantum register Mi from the ith prover, for 1 ≤ i ≤ k, At the second turn, V flips a fair classical coin l times to generate a random string r of length l, for some polynomially bounded function
l : Z+ → N, and broadcasts r to all the prover. V also stores r in a quantum register Q in his private space. Finally,
at the third turn, V receives a quantum register Ni from the ith prover, for 1 ≤ i ≤ k. V then prepares a quantum
register V for his work space, where all the qubits in V are initialized to state |0. Now V applies the transfor-
mation V final to the qubits in (Q,V,M1, . . . ,Mk,N1, . . . ,Nk), and performs the measurement Π = {Πacc, Πrej}to decide acceptance of rejection. We construct a protocol of a two-turn quantum verifier W of the new quantum
(k + 1)-prover interactive proof system for L.
For every input x, the constructed prover W supposes that the ith prover prepares the quantum register Ni in hisprivate space, for 1 ≤ i ≤ k, and the (k + 1)-st prover prepares the k quantum registers M1, . . . ,Mk in his private
space. W prepares the quantum register V, where all the qubits in V are initialized to state |0.
At the first turn, W flips a fair classical coin l times to generate a random string r of length l, and sends r to
the ith prover for 1 ≤ i ≤ k. V also stores r in a quantum register Q in his private space. W sends nothing to the
(k + 1)-st prover.
At the second turn, the provers are requested to send the qubits in (M1, . . . ,Mk,N1, . . . ,Nk) so that the
qubits in (Q,V,M1, . . . ,Mk,N1, . . . ,Nk) form the quantum state the original three-turn verifier V would pos-
sess just after the third turn (i.e., just after the second messages from the provers) of the original protocol.
18
8/9/2019 1 Round 070907
http://slidepdf.com/reader/full/1-round-070907 20/27
Verifier’s Protocol in One-Round System
1. Prepare a quantum register V, and initialize all the qubits in V to state |0. Flip a fair classical coin l times
to generate a random string r of length l . Store r in a quantum register Q, and send r to the ith prover for
1 ≤ i ≤ k. Send nothing to the (k + 1)-st prover.
2. Receive a quantum registerNi from the ith prover, for 1 ≤ i ≤ k, and k quantum registers M1, . . . ,Mk fromthe (k + 1)-st prover. Apply V final to the qubits in (Q,V,M1, . . . ,Mk,N1, . . . ,Nk) and accepts if and only if
the content of (Q,V,M1, . . . ,Mk,N1, . . . ,Nk) is an accepting state of the original protocol.
Figure 3: Verifier’s protocol to reduce the number of turns to two.
Now W applies V final to the qubits in (Q,V,M1, . . . ,Mk,N1, . . . ,Nk) and accepts if and only if the content of
(Q,V,M1, . . . ,Mk,N1, . . . ,Nk) is an accepting state of the original protocol.
First suppose that the input x is in L.
Let P i be the honest ith quantum prover for the original proof system, and let Pi be the quantum register
consisting of all the qubits in the private space of P i, for 1 ≤ i ≤ k. Without loss of generality, it is assumed
that some of the qubits in Pi form the quantum register Ni, for each 1 ≤ i ≤ k. Let |ψ1 be the quantum state in
(M1, . . . ,Mk,P1, . . . ,Pk) that the provers P 1, . . . , P k generate just after the first turn of the original protocol so
that they can convince V with probability at least c in the original proof system.
Let Ri be the honest ith quantum prover in the constructed two-turn system, for 1 ≤ i ≤ k + 1. Each Ri
prepares the quantum register Pi in his private space for 1 ≤ i ≤ k , and Rk+1 prepares the quantum registers
M1, . . . ,Mk in his private space. R1, . . . , Rk+1 initially share |ψ1 in (M1, . . . ,Mk,P1, . . . ,Pk). At the second
turn of the protocol, Rk+1 does nothing and always sends the qubits in (M1, . . . ,Mk) to W , while each Ri, after
receiving r , first applies P i,2,r to the qubits in Pi, and then sends Ni, which is a part of Pi, to W , for 1 ≤ i ≤ k,
where P i,2,r is the second transformation of the original ith prover P i on input x in the original protocol, conditioned
that the message from V is r.
It is obvious from the construction that the provers R1, . . . , Rk+1 can convince W with probability at least c,the same probability with which the original provers P 1, . . . , P k can convince the original verifier V .
Now suppose that the input x is not in L.
Let Ri be any two-turn quantum prover for the constructed proof system, and let Ri be the quantum register
consisting of all the qubits in the private space of Ri, for 1 ≤ i ≤ k + 1. Without loss of generality, it is assumed
that some of the qubits in Rk+1 form the quantum register M = (M1, . . . ,Mk). Let |ψ be an arbitrary quantum
state in (R1, . . . ,Rk+1) that is initially shared by the (k + 1) provers in the constructed system. Suppose that, at
the second turn, if the message from W is r, each Ri applies X i,r , for 1 ≤ i ≤ k. Without loss of generality, it is
assumed that Rk+1 does nothing, and just sends the qubits in (M1, . . . ,Mk) at the second turn, since R
k+1 receives
nothing from W (that Rk+1 applies some transformation Z is equivalent to sharing Z |ψ at the beginning).
Consider three-turn quantum provers P 1, . . . , P k for the original proof system with the following properties: (1)
each P i prepares the quantum register Mi and Ri in his private space, for 1 ≤ i ≤ k, (2) P 1, . . . , P k initially share|ψ in (R1, . . . ,Rk+1), where all the qubits in Rk+1 except for those in M = (M1, . . . ,Mk) are shared arbitrarily,
(3) at the first turn, each P i sends Mi to V , for 1 ≤ i ≤ k, and (4) if the message from V is r, each P i applies X i,rat his second transformation to the qubits received from V and those in R
i, for 1 ≤ i ≤ k. It is obvious that these
provers P 1, . . . , P k can convince the original verifier V with the same probability as R1, . . . , R
k+1 can convince
W . Hence, the probability W accepts x is at most s, as desired.
Now Theorem 7 follows from Theorems 11, 12, and 14. The following is an immediate but important corollary
of Theorem 14.
19
8/9/2019 1 Round 070907
http://slidepdf.com/reader/full/1-round-070907 21/27
8/9/2019 1 Round 070907
http://slidepdf.com/reader/full/1-round-070907 22/27
[15] Julia Kempe, Hirotada Kobayashi, Keiji Matsumoto, Benjamin F. Toner, and Thomas Vidick. On the power of
entangled provers: Immunizing games against entanglement. arXiv.org e-Print archive, arXiv:0704.2903v1
[quant-ph], April 2007.
[16] Alexei Yu. Kitaev, Alexander H. Shen, and Mikhail N. Vyalyi. Classical and Quantum Computation, vol-
ume 47 of Graduate Studies in Mathematics. American Mathematical Society, 2002.
[17] Alexei Yu. Kitaev and John H. Watrous. Parallelization, amplification, and exponential time simulation of
quantum interactive proof systems. In Proceedings of the Thirty-Second Annual ACM Symposium on Theory
of Computing, pages 608–617, 2000.
[18] Hirotada Kobayashi and Keiji Matsumoto. Quantum multi-prover interactive proof systems with limited prior
entanglement. Journal of Computer and System Sciences, 66(3):429–450, 2003.
[19] Chris Marriott and John H. Watrous. Quantum Arthur-Merlin games. Computational Complexity, 14(2):122–
152, 2005.
[20] Ashwin Nayak and Peter W. Shor. Bit-commitment-based quantum coin flipping. Physical Review A,
67(1):012304, 2003.
[21] Michael A. Nielsen and Isaac L. Chuang. Quantum Computation and Quantum Information. Cambridge
University Press, 2000.
[22] Peter W. Shor. Fault-tolerant quantum computation. In 37th Annual Symposium on Foundations of Computer
Science, pages 56–65, 1996.
[23] Robert W. Spekkens and Terry Rudolph. Degrees of concealment and bindingness in quantum bit-commitment
protocols. Physical Review A, 65(1):012310, 2002.
[24] Xiaoming Sun, Andrew C.-C. Yao, and Daniel Preda. On entangled quantum 3-prover systems for SAT and
the magic square. Unpublished manuscript.
[25] John H. Watrous. PSPACE has constant-round quantum interactive proof systems. Theoretical Computer
Science, 292(3):575–588, 2003.
[26] John H. Watrous. Zero-knowledge against quantum attacks. In Proceedings of the 38th Annual ACM Sympo-
sium on Theory of Computing, pages 296–305, 2006.
[27] Stephanie Wehner. Entanglement in interactive proof systems with binary answers. In STACS 2006, 23rd
Annual Symposium on Theoretical Aspects of Computer Science, volume 3884 of Lecture Notes in Computer
Science, pages 162–171, 2006.
Appendix
A Proof of Lemma 5
Proof. Let L be a language in QMIP(k,m,c,s), and let V be the corresponding m-turn quantum verifier for the
quantum k-prover interactive proof system for L. Let V be the quantum register consisting of all the qubits in the
private space of V , and let Mi be that consisting of all the qubits in the message channel between V and the ithe
prover, for 1 ≤ i ≤ k. For every input x, V applies V j for his jth transformation to the qubits in (V,M1, . . . ,Mk),
for 1 ≤ j ≤ m2
+ 1. We slightly modify the protocol of V to construct another protocol of an m-turn quantum
21
8/9/2019 1 Round 070907
http://slidepdf.com/reader/full/1-round-070907 23/27
verifier W of the perfectly rewindable quantum k-prover interactive proof system for L. For simplicity, in what
follows, it is assumed that m is even (the cases in which m is odd can be proved in a similar manner).
For every input x, the new verifier W prepares the quantum registers V and Mi for 1 ≤ i ≤ k, and two single-
qubit quantum registers B and X. Let Y be the single-qubit quantum register consisting of the qubit in V that
corresponds to the output qubit of the original verifier V . All the qubits in (X,V,B,M1, . . . ,Mk) are initialized to
|0
.
Using first (m − 2) turns, W attempts to simulate the original protocol, by applying V j to the qubits in
(V,M1, . . . ,Mk) as his jth transformation and sending Mi to the ith prover, for 1 ≤ i ≤ k and 1 ≤ j ≤ m2 − 1.
At the (m − 1)-st turn, which is a turn for the verifier, W applies V m2
to the qubits in (V,M1, . . . ,Mk) and then
sends Mi to the ith prover, for 1 ≤ i ≤ k. In addition to M1, W also sends B to the first prover.
At the mth turn, which is a turn for the provers, W receives B in addition to M1 from the first prover. W then
applies V m2 +1 to the qubits in (V,M1, . . . ,Mk), and further performs Toffoli over the qubits in (B,Y,X), using the
qubit in X as the target. W accepts if and only if the content of X is 1. Notice that the content of X is 1 if and only
if the content of B is 1 and the state in (V,M1, . . . ,Mk) is an accepting state of the original protocol. Therefore,
the soundness accepting probability is obviously at most s in the constructed protocol.
Now we present a specific protocol for honest provers to show the perfect rewindablity condition in the case
the input x is in L.
Let P i be the m-turn honest ith quantum prover for the original protocol, and let Pi be the quantum register
consisting of all the qubits in the private space of P i, for 1 ≤ i ≤ k. For each 1 ≤ i ≤ k, let P i,j be the j th trans-
formation of P i on input x in the original protocol, for 1 ≤ j ≤ m2 . Let Φ∗ be any optimal state-sharing function
for k quantum provers such that the state |Φ∗(x) in (P1, . . . ,Pk) shared by the provers P 1, . . . , P k maximizes
the accepting probability of V when communicating with these specific provers P 1, . . . , P k, and let pmax be the
probability that (V, P 1, . . . , P k) accepts x when P 1, . . . , P k initially share |Φ∗(x).
For each 1 ≤ i ≤ k, the honest ith prover Ri in the constructed protocol prepares the quantum register Pi in his
private space. R1, . . . , Rk use the state-sharing function Φ∗ to initially share |Φ∗(x) in (P1, . . . ,Pk) on input x.
At the jth transformation of Ri for 1 ≤ i ≤ k and 1 ≤ j ≤ m2 − 1, after receiving the register Mi from W , Ri
applies P i,j to the qubits in (Mi,Pi) and sends Mi to W to just simulate the original protocol.
At the m2 -th transformation of R1, after receiving the registers B and M1 from W , R1 applies P 1,m
2
to the qubits
in (M1,P1) and applies the unitary transformation T defined by
T =
1
2 pmax
√ 2 pmax − 1 −1
1 √
2 pmax − 1
to the qubit in B to generate the state
1 − 12 pmax
|0 +
12 pmax
|1 in B. R1 then sends B and M1 back to W .
At the m2 -th transformation of Ri for 2 ≤ i ≤ k, after receiving the register Mi from W , Ri applies P i,m
2to the
qubits in (Mi,Pi) and sends Mi back to W , just as in the case of the original protocol.
Then, from the construction of Ri for 1 ≤ i ≤ k, it is obvious that the maximum accepting probability is exactly
equal to 12 when W communicates with R1, . . . , Rk(n), and the maximum is achieved when R1, . . . , Rk use the
state-sharing function Φ∗. This shows the perfect rewindability property, and the claim follows.
B Proof of Theorem 12
Proof of Theorem 12. The proof is a modification of the proof of Theorem 5.4 in Ref. [19] to the multi-prover case.
Let L be a language in QMIP(k, 3, 1 − ε, 1 − δ ) and let V be the corresponding three-turn quantum verifier for
quantum k-prover interactive proof systems. Let V be the quantum register consisting of all the qubits in the private
space of V , and let Mi be that consisting of all the qubits in the message channel between V and the ithe prover,
for 1 ≤ i ≤ k. For every input x, V applies V j for his jth transformation on the qubits in (V,M1, . . . ,Mk), for
22
8/9/2019 1 Round 070907
http://slidepdf.com/reader/full/1-round-070907 24/27
Verifier’s Protocol in Three-Turn Public-Coin System
1. Receive a quantum register V from the first prover and receive nothing from the ith prover, for 2 ≤ i ≤ k.
2. Choose b ∈ {0, 1} uniformly at random. Send b to each prover.
3. Receive quantum registers Mi from the ith prover for 1 ≤ i ≤ k.
3.1 If b = 0, apply V 2 to the qubits in (V,M1, . . . ,Mk). Accept if the content of (V,M1, . . . ,Mk) is an
accepting state of the original protocol, and reject otherwise.
3.2 If b = 1, apply V †1 to the qubits in (V,M1, . . . ,Mk). Accept if all the qubits in V are in state |0, and
reject otherwise.
Figure 4: Verifier’s protocol in three-turn public-coin system.
1 ≤ j ≤ 2, and performs the measurement Π = {Πacc, Πrej} at the end of the original protocol to decide acceptance
of rejection. We construct a protocol of a three-turn public-coin quantum verifier W of the new quantum k-proverinteractive proof system for L.
For every input x, at the first turn the constructed verifier W receives the quantum register V from the first
prover. W receives nothing from the ith prover at the first turn, for 2 ≤ i ≤ k. W expects that the ith prover
prepares the quantum register Mi in his private space, for 1 ≤ i ≤ k, and that the qubits in (V,M1, . . . ,Mk) form
the quantum state the original three-turn verifier V would possess just after the second turn (i.e., just after the first
transformation of V ) of the original protocol.
At the second turn, W chooses b ∈ {0, 1} uniformly at random and sends b to each prover.
If b = 0, the ith prover is requested to send Mi, for 1 ≤ i ≤ k, so that the qubits in (V,M1, . . . ,Mk) form the
quantum state the original verifier V would possess just after the third turn (i.e., just after the second transformations
of the provers) of the original protocol. Now W applies V 2 to the qubits in (V,M1, . . . ,Mk) and accepts if and only
if the content of (V
,M
1, . . . ,M
k) is an accepting state of the original protocol.On the other hand, if b = 1, the ith prover is requested to send Mi, for 1 ≤ i ≤ k, so that the qubits in
(V,M1, . . . ,Mk) form the quantum state the original verifier V would possess just after the second turn (i.e., just
after the first transformation of V ) of the original protocol. Now W applies V †1 to the qubits in (V,M1, . . . ,Mk)and accepts if and only if all the qubits in V are in state |0.
The precise description of the protocol of W is found in Figure 4.
First suppose that the input x is in L.
Let P i be the three-turn honest quantum prover for the original proof system, and let Pi be the quantum register
consisting of all the qubits in the private space of P i, for 1 ≤ i ≤ k. Let |Φ be a quantum state in (P1, . . . ,Pk)such that, if P 1, . . . , P k initially share |Φ, they can convince V with probability at least 1 − ε in the original proof
system. Let |ψ2 be the quantum state in (V,M1, . . . ,Mk,P1, . . . ,Pk) just after the second turn (i.e., just after the
first transformation of V ) of the original protocol if V communicates with the provers P 1, . . . , P k who initially
share |Φ in their private spaces.
Let Ri be the honest ith prover in the constructed three-turn system, for 1 ≤ i ≤ k. In addition to the registers V
and M1, R1 prepares a quantum register P1 in his private space. Similarly, in addition to Mi, Ri prepares a quantum
register Pi in his private space for 2 ≤ i ≤ k. R1, . . . , Rk initially share |ψ2 in (V,M1, . . . ,Mk,P1, . . . ,Pk). At
the first turn of the constructed protocol, R1 sends V to W , while each Ri, 2 ≤ i ≤ k, sends nothing to W .At the second transformation of the provers, if b = 0, each Ri first applies P i,2 to the qubits in (Mi,Pi), and
then sends Mi to W , where P i,2 is the second transformation of the original ith prover P i on input x in the original
protocol, for 1 ≤ i ≤ k. If b = 1, each Ri does nothing and just sends Mi to W at the second transformation of the
23
8/9/2019 1 Round 070907
http://slidepdf.com/reader/full/1-round-070907 25/27
provers, for 1 ≤ i ≤ k.
It is obvious that the provers R1, . . . , Rk can convince W with probability at least 1 − ε if b = 0, and with
certainty if b = 1. Hence, W accepts every input x ∈ L with probability at least 1 − ε2 .
Now suppose that the input x is not in L.
Let Ri be any three-turn quantum prover for the constructed proof system, for 1 ≤ i ≤ k. Let |ψ be an
arbitrary quantum state that represents the state just after the first transformations of the provers R1
, . . . , Rk
in the
constructed system. Suppose that, at the second transformation of the provers, each Ri applies X i if b = 0 and Y i
if b = 1, for 1 ≤ i ≤ k and write X = X 1 ⊗ · · · ⊗ X k and Y = Y 1 ⊗ · · · ⊗ Y k. Notice that X and Y are unitary
transformations that do not act over the qubits in V.
Let |α = 1
ΠaccV 2 eX |ψΠaccV 2 X |ψ and |β = 1
ΠinitV †1
eY |ψΠinitV †1 Y |ψ, where Πacc is the projection onto
accepting states in the original protocol and Πinit is the projection onto states in which all the qubits in V are in
state |0.
Then, with a similar argument to that in the proof of Lemma 9, the probability pacc that W accepts x when
communicating with R1, . . . , R
k+1 is bounded by
pacc ≤ 1
2 1 + F
X †V †2 |αα|V 2
X,
Y †V 1|β β |V †1
Y
=
1
2 1 + F
|αα|, V 2
X
Y †V 1|β β |V †1
Y
X †V †2
.
Since Πinit|β = |β is a legal quantum state just after the first transformations of the provers in the original
protocol, V 1, X Y †
, V 2 form a legal sequence of transformations in the original protocol, and Πacc|α = |α, again
a similar argument to that in the proof of Lemma 9 shows that F |αα|, V 2 X Y †V 1|β β |V †1 Y X †V †2
≤ √ 1 − δ .
Hence the probability pacc that W accepts x is bounded by pacc ≤ 12 +
√ 1−δ2 , which completes the proof.
C Direct Proof of Modifying Three-Turn Systems to Two-Turn Systems
For completeness, here we give a direct proof of that any k-prover three-turn system can be converted into a
(k + 1)-prover two-turn system.
Theorem 16. Let k : Z+ → N be a polynomially bounded function, and let ε, δ : Z+ → [0, 1] be any functions that
satisfy δ > 1 − (1 − ε)2. Then, QMIP(k, 3, 1 − ε, 1 − δ ) ⊆ QMIP
k + 1, 2, 1 − ε2 , 12 +
√ 1−δ2
.
Proof. The proof is similar to the proofs of Lemma 9 and Theorem 12.
Let L be a language in QMIP(k, 3, 1 − ε, 1 − δ ) and let V be the corresponding three-turn quantum verifier
for the quantum k-prover interactive proof system for L. Let V be the quantum register consisting of all the
qubits in the private space of V , and let Mi be that consisting of all the qubits in the message channel between
V and the ithe prover, for 1 ≤ i ≤ k. For every input x, V applies V j for his jth transformation on the qubits
in (V,M1, . . . ,Mk), for 1 ≤ j ≤ 2, and performs the measurement Π = {Πacc, Πrej} at the end of the original
protocol to decide acceptance of rejection. We construct a protocol of a two-turn quantum verifier W of the new
quantum (k + 1)-prover interactive proof system for L.
For every input x, W supposes that the ith prover prepares a quantum register Mi in his private space, for1 ≤ i ≤ k, and the (k + 1)-st prover prepares a quantum register V in his private space. W expects that the qubits
in (V,M1, . . . ,Mk) form the quantum state the original three-turn verifier V would possess just after the second
turn (i.e., just after the first transformation of V ) of the original protocol.
At the first turn, W chooses b ∈ {0, 1} uniformly at random, and sends b only to the first k provers. W sends
nothing to the (k + 1)-st prover.
If b = 0, the provers are requested to send the qubits in (V,M1, . . . ,Mk) so that they form the quantum state
the original three-turn verifier V would possess just after the third turn (i.e., just after the second transformations of
24
8/9/2019 1 Round 070907
http://slidepdf.com/reader/full/1-round-070907 26/27
Verifier’s Protocol in One-Round System (Direct Construction)
1. Choose b ∈ {0, 1} uniformly at random. Send b only to the first k provers. and send nothing to the (k + 1)-st
prover.
2. Receive a quantum registerMi from the ith prover, for 1
≤ i
≤ k, and a quantum register V from the (k + 1)-
st prover.
2.1 If b = 0, apply V 2 to the qubits in (V,M1, . . . ,Mk). Accept if the content of (V,M1, . . . ,Mk) is an
accepting state of the original protocol, and reject otherwise.
2.2 If b = 1, apply V †1 to the qubits in (V,M1, . . . ,Mk). Accept if all the qubits in V are in state |0, and
reject otherwise.
Figure 5: Verifier’s protocol to reduce the number of turns to two (direct construction).
the provers) of the original protocol. Now W applies V 2 to the qubits in (V,M1, . . . ,Mk) and accepts if and only
if the content of (V,M1, . . . ,Mk) is an accepting state of the original protocol.
On the other hand, if b = 1, the provers are requested to send the qubits in (V,M1, . . . ,Mk) so that they form
the quantum state the original three-turn verifier V would possess just after the second turn (i.e., just after the first
transformation of V ) of the original protocol. Now W applies V †1 to the qubits in (V,M1, . . . ,Mk) and accepts if
and only if all the qubits in V are in state |0.
The precise description of the protocol of W is found in Figure 5.
First suppose that the input x is in L.
Let P i be the three-turn honest quantum prover for the original proof system, and let Pi be the quantum register
consisting of all the qubits in the private space of P i, for 1 ≤ i ≤ k. Let |Φ be a quantum state in (P1, . . . ,Pk)such that, if P 1, . . . , P k initially share |Φ, they can convince V with probability at least 1 − ε in the original proof
system. Let |ψ2 be the quantum state in (V,M1, . . . ,Mk,P1, . . . ,Pk) just after the second turn (i.e., just after the
first transformation of V ) of the original protocol if V communicates with the provers P 1, . . . , P k who initiallyshare |Φ in their private spaces.
Let Ri be the honest ith prover in the constructed three-turn system, for 1 ≤ i ≤ k + 1. In addition to the
register Mi, Ri prepares a quantum register Pi in his private space, for 1 ≤ i ≤ k. Rk+1 only prepares the quantum
register V in his private space. R1, . . . , Rk+1 initially share |ψ2 in (V,M1, . . . ,Mk,P1, . . . ,Pk). At the second
turn of the protocol, Rk+1 does nothing and always sends V to W . At the second turn of the protocol, if b = 0,
each Ri first applies P i,2 to the qubits in (Mi,Pi), and then sends Mi to W , where P i,2 is the second transformation
of the original ith prover P i on input x in the original protocol, for 1 ≤ i ≤ k. If b = 1, each Ri, 1 ≤ i ≤ k, does
nothing and just sends Mi to W at the second turn of the protocol.
It is obvious that the provers R1, . . . , Rk+1 can convince W with probability at least 1 − ε if b = 0, and with
certainty if b = 1. Hence, W accepts every input x ∈ L with probability at least 1 − ε2 .
Now suppose that the input x is not in L.Let R
i be any two-turn quantum prover for the constructed proof system, for 1 ≤ i ≤ k + 1. Let |ψ be an
arbitrary but legal initial state in the constructed system. Suppose that, at the second turn each Ri applies X i
if b = 0 and Y i if b = 1, for 1 ≤ i ≤ k, and write X = X 1 ⊗ · · · ⊗ X k and Y = Y 1 ⊗ · · · ⊗ Y k. Without loss
of generality, it is assumed that Rk+1 does nothing, and just sends the qubits in V at the second turn, since R
k+1
receives nothing from W (that Rk+1 applies some transformation Z is equivalent to sharing Z |ψ at the beginning).
Let |α = 1
ΠaccV 2 eX |ψΠaccV 2 X |ψ and |β = 1
ΠinitV †1
eY |ψΠinitV †1 Y |ψ, where Πacc is the projection onto
accepting states in the original protocol and Πinit is the projection onto states in which all the qubits in V are in
25
8/9/2019 1 Round 070907
http://slidepdf.com/reader/full/1-round-070907 27/27
state |0. Then, with the same argument as in the proof of Theorem 12, the probability that W accepts x when
communicating with R1, . . . , R
k+1 is given by 12
1 + F
|αα|, V 2 X Y †V 1|β β |V †1 Y X †V †2
, which is at most
12 +
√ 1−δ2 , as claimed.